blob: 120f20496e83be47d13811a2c90381637bd3f43b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
- name: Install cgit
apt: pkg={{ packages }}
vars:
packages:
- cgit
- highlight
- fcgiwrap
- name: Stop and disable fcgiwrap socket
service: name=fcgiwrap.socket state=stopped enabled=false
- name: Stop fcgiwrap service
service: name=fcgiwrap.service state=stopped
- name: Configure cgit
copy: src=etc/cgitrc
dest=/etc/cgitrc
owner=root group=root
mode=0644
notify:
- Stop cgit
- name: Copy /usr/lib/cgit/filters/syntax-highlighting2.sh
copy: src=usr/lib/cgit/filters/syntax-highlighting2.sh
dest=/usr/lib/cgit/filters/syntax-highlighting2.sh
owner=root group=root
mode=0755
notify:
- Stop cgit
- name: Create '_cgit' user
user: name=_cgit system=yes
group=nogroup
home=/nonexistent
shell=/usr/sbin/nologin
password=!
state=present
notify:
- Stop cgit
# Make it sticky: `dpkg-statoverride --add _cgit nogroup 0700 /var/cache/cgit`
- name: Create cache directory /var/cache/cgit
file: path=/var/cache/cgit
state=directory
owner=_cgit group=nogroup
mode=0700
- name: Copy cgit service unit
copy: src=etc/systemd/system/cgit.service
dest=/etc/systemd/system/cgit.service
owner=root group=root
mode=0644
notify:
- systemctl daemon-reload
- Stop cgit
- name: Copy cgit socket unit
copy: src=etc/systemd/system/cgit.socket
dest=/etc/systemd/system/cgit.socket
owner=root group=root
mode=0644
notify:
- systemctl daemon-reload
- Restart cgit
- name: Disable cgit service
service: name=cgit.service enabled=false
- name: Start cgit socket
service: name=cgit.socket state=started enabled=true
- meta: flush_handlers
- name: Copy git-http-backend service unit
copy: src=etc/systemd/system/git-http-backend.service
dest=/etc/systemd/system/git-http-backend.service
owner=root group=root
mode=0644
notify:
- systemctl daemon-reload
- Stop git-http-backend
- name: Copy git-http-backend socket unit
copy: src=etc/systemd/system/git-http-backend.socket
dest=/etc/systemd/system/git-http-backend.socket
owner=root group=root
mode=0644
notify:
- systemctl daemon-reload
- Restart git-http-backend
- name: Disable git-http-backend service
service: name=git-http-backend.service enabled=false
- name: Start git-http-backend socket
service: name=git-http-backend.socket state=started enabled=true
- meta: flush_handlers
- name: Copy /etc/nginx/sites-available/git
copy: src=etc/nginx/sites-available/git
dest=/etc/nginx/sites-available/git
owner=root group=root
mode=0644
register: r1
notify:
- Restart Nginx
- name: Create /etc/nginx/sites-enabled/git
file: src=../sites-available/git
dest=/etc/nginx/sites-enabled/git
owner=root group=root
state=link force=yes
register: r2
notify:
- Restart Nginx
- name: Copy HPKP header snippet
# never modify the pined pubkeys as we don't want to lock out our users
template: src=etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2
dest=/etc/nginx/snippets/git.fripost.org.hpkp-hdr
validate=/bin/false
owner=root group=root
mode=0644
register: r3
notify:
- Restart Nginx
- name: Start Nginx
service: name=nginx state=started
when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
- name: Fetch Nginx's X.509 certificate
# Ensure we don't fetch private data
become: False
fetch_cmd: cmd="openssl x509 -noout -pubkey"
stdin=/etc/nginx/ssl/git.fripost.org.pem
dest=certs/public/git.fripost.org.pub
tags:
- genkey
|
