18 files changed, 205 insertions, 65 deletions

diff --git a/roles/apache/tasks/ssl.yaml b/roles/apache/tasks/ssl.yaml
new file mode 100644
index 0000000..979d364
--- /dev/null
+++ b/roles/apache/tasks/ssl.yaml
@@ -0,0 +1,21 @@
+---
+- name: Create ssl DIR
+  file:
+    path=/etc/apache2/sites/{{ ssl_server_name }}/ssl
+    state=directory
+
+- name: Place SSL cert and chain
+  copy:
+    src=ssl/{{ ssl_server_name }}/{{item}}
+    dest=/etc/apache2/sites/{{ ssl_server_name }}/ssl/{{item}}
+  with_items:
+  - cert.pem
+  - chain.pem
+  notify: Reload apache
+
+- name: Place SSL key
+  copy:
+    content="{{ssl_keys[ssl_server_name]}}"
+    dest="/etc/apache2/sites/{{ssl_server_name}}/ssl/key.pem"
+    mode=0600
+  notify: Reload apache
diff --git a/roles/cgit/defaults/main.yaml b/roles/cgit/defaults/main.yaml
new file mode 100644
index 0000000..28da704
--- /dev/null
+++ b/roles/cgit/defaults/main.yaml
@@ -0,0 +1,2 @@
+---
+git_server_name: "{{inventory_hostname}}"
diff --git a/roles/cgit/files/cgit-assets/git.css b/roles/cgit/files/cgit-assets/git.css
new file mode 100644
index 0000000..ed2ecd8
--- /dev/null
+++ b/roles/cgit/files/cgit-assets/git.css
@@ -0,0 +1,2 @@
+@import "cgit.css";
+@import "highlight.css";
diff --git a/roles/cgit/files/cgit-assets/highlight.css b/roles/cgit/files/cgit-assets/highlight.css
new file mode 100644
index 0000000..99af709
--- /dev/null
+++ b/roles/cgit/files/cgit-assets/highlight.css
@@ -0,0 +1,19 @@
+/* Style definition file generated by highlight 3.6, http://www.andre-simon.de/ */
+
+/* Highlighting theme: vim earendel */
+
+/* body.hl      { background-color:#ffffff; } */
+pre.hl  { color:#000000; background-color:#ffffff; font-size:10pt; font-family:'Courier New';}
+.hl.num { color:#a8660d; }
+.hl.esc { color:#a80d9e; }
+.hl.str { color:#a8660d; }
+.hl.pps { color:#a8660d; }
+.hl.slc { color:#558817; }
+.hl.com { color:#558817; }
+.hl.ppc { color:#0da818; }
+.hl.opt { color:#000000; }
+.hl.lin { color:#006666; }
+.hl.kwa { color:#2239a8; font-weight:bold; }
+.hl.kwb { color:#8c1d69; font-weight:bold; }
+.hl.kwc { color:#a89222; font-weight:bold; }
+.hl.kwd { color:#a8227b; }
diff --git a/roles/cgit/files/cgit-assets/logo.png b/roles/cgit/files/cgit-assets/logo.png
new file mode 100644
index 0000000..af1814f
--- /dev/null
+++ b/roles/cgit/files/cgit-assets/logo.png
diff --git a/roles/cgit/files/cgit.source.filter b/roles/cgit/files/cgit.source.filter
new file mode 100644
index 0000000..f5c8e88
--- /dev/null
+++ b/roles/cgit/files/cgit.source.filter
@@ -0,0 +1,9 @@
+#!/bin/sh
+# store filename and extension in local vars
+BASENAME="$1"
+EXTENSION="${BASENAME##*.}"
+
+# map Makefile and Makefile.* to .mk
+[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk
+
+exec highlight --force -f -S "$EXTENSION" 2>/tmp/cgit.filter
diff --git a/roles/cgit/meta/main.yaml b/roles/cgit/meta/main.yaml
new file mode 100644
index 0000000..0e24889
--- /dev/null
+++ b/roles/cgit/meta/main.yaml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: apache
diff --git a/roles/cgit/tasks/main.yaml b/roles/cgit/tasks/main.yaml
new file mode 100644
index 0000000..cc18696
--- /dev/null
+++ b/roles/cgit/tasks/main.yaml
@@ -0,0 +1,70 @@
+---
+- name: Install cgit package and depencies
+  apt: name={{item}} state=present
+  with_items:
+  - cgit
+  - highlight
+
+- name: Install cgit highlighting script
+  copy:
+    src=cgit.source.filter
+    dest=/etc/cgit.source.filter
+    mode=0755
+
+- name: Create cgit assets dir
+  file:
+    name=/var/www/{{ git_server_name }}/static
+    recurse=yes
+    state=directory
+
+- name: Put cgit assets
+  copy:
+    src="cgit-assets/{{item}}"
+    dest="/var/www/{{ git_server_name }}/static/{{item}}"
+  with_items:
+  - git.css
+  - highlight.css
+  - logo.png
+
+- name: Symlink cgit css
+  file:
+    name="/var/www/{{git_server_name}}/static/cgit.css"
+    state=link
+    src=../../../../usr/share/cgit/cgit.css
+
+- name: Symlink robots.txt
+  file:
+    name="/var/www/{{git_server_name}}/robots.txt"
+    state=link
+    src=../../../usr/share/cgit/robots.txt
+
+- name: Put cgit configuration
+  template:
+    src=cgitrc.j2
+    dest=/etc/cgitrc
+
+- name: Put apache config
+  template:
+    src=vhost.conf.j2
+    dest=/etc/apache2/sites-enabled/cgit.conf
+
+- name: Create config snippet dir
+  file:
+    name=/etc/apache2/sites/{{ git_server_name }}
+    recurse=yes
+    state=directory
+
+- name: Place config snippets
+  template:
+    dest=/etc/apache2/sites/{{ git_server_name }}/{{ item }}
+    src={{ item }}.j2
+  with_items:
+  - repocreate-plain.conf
+  - repocreate-ssl.conf
+  - server.conf
+  - ssl.conf
+  notify: Reload apache
+
+- include: ../../apache/tasks/ssl.yaml
+  vars:
+    ssl_server_name: "{{git_server_name}}"
diff --git a/roles/cgit/templates/cgitrc.j2 b/roles/cgit/templates/cgitrc.j2
new file mode 100644
index 0000000..bfca774
--- /dev/null
+++ b/roles/cgit/templates/cgitrc.j2
@@ -0,0 +1,8 @@
+css=/static/git.css
+logo=/static/logo.png
+virtual-root=/
+root-title=sublab.org repo hosting
+root-desc=harbouring chaos
+enable-index-owner=0
+clone-prefix=git://{{ git_server_name }} git+ssh://git@{{ git_server_name }}
+source-filter=/etc/cgit.source.filter
diff --git a/roles/cgit/templates/repocreate-plain.conf.j2 b/roles/cgit/templates/repocreate-plain.conf.j2
new file mode 100644
index 0000000..e3fbc35
--- /dev/null
+++ b/roles/cgit/templates/repocreate-plain.conf.j2
@@ -0,0 +1 @@
+RedirectMatch permanent ^/(create(/?|/.*))$     https://{{ git_server_name }}/$1
diff --git a/roles/cgit/templates/repocreate-ssl.conf.j2 b/roles/cgit/templates/repocreate-ssl.conf.j2
new file mode 100644
index 0000000..c9014be
--- /dev/null
+++ b/roles/cgit/templates/repocreate-ssl.conf.j2
@@ -0,0 +1,18 @@
+#Alias /create /var/www/git.sublab.org/htdocs/create
+#ProxyPass /create/api http://127.0.0.1:8023/
+#
+#<Location /create>
+#        Options -Indexes -ExecCGI
+#        Allow from *
+#
+#        AuthType basic
+#        AuthBasicProvider ldap
+#        AuthName "LDAP Login"
+#        AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org"
+#        AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}"
+#        AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org"
+#        # AuthzLDAPAuthoritative on
+#        # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org
+#        Require valid-user
+#</Location>
+#LDAPTrustedMode TLS
diff --git a/roles/cgit/templates/server.conf.j2 b/roles/cgit/templates/server.conf.j2
new file mode 100644
index 0000000..bd9de27
--- /dev/null
+++ b/roles/cgit/templates/server.conf.j2
@@ -0,0 +1,19 @@
+ServerAdmin nobody-wolpertinger@nowhere.ws
+ServerName {{ git_server_name }}
+
+# Serve static cgit files directly
+Alias /static /var/www/{{ git_server_name }}/static
+Alias /robots.txt /var/www/{{ git_server_name }}/robots.txt
+<Directory /var/www/{{ git_server_name }}>
+	AllowOverride None
+	Options FollowSymlinks
+	Require all granted
+</Directory>
+
+# Dispatch other requests to CGI
+ScriptAlias / "/usr/lib/cgit/cgit.cgi/"
+<Directory /usr/lib/cgit>
+	AllowOverride None
+	Options ExecCGI FollowSymlinks
+	Require all granted
+</Directory>
diff --git a/roles/cgit/templates/ssl.conf.j2 b/roles/cgit/templates/ssl.conf.j2
new file mode 100644
index 0000000..c6b8fe3
--- /dev/null
+++ b/roles/cgit/templates/ssl.conf.j2
@@ -0,0 +1,20 @@
+SSLEngine		On
+
+SSLCertificateChainFile	/etc/apache2/sites/{{ git_server_name }}/ssl/chain.pem
+SSLCertificateFile	/etc/apache2/sites/{{ git_server_name }}/ssl/cert.pem
+SSLCertificateKeyFile	/etc/apache2/sites/{{ git_server_name }}/ssl/key.pem
+
+SSLEngine On
+SSLHonorCipherOrder on
+SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv3 -SSLv2
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+SSLCompression off
+
+#Header always set Strict-Transport-Security "max-age=15984000"
+
+SSLOptions		StdEnvVars
+
+BrowserMatch "MSIE [2-6]" \
+	nokeepalive ssl-unclean-shutdown \
+	downgrade-1.0 force-response-1.0
+BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
diff --git a/roles/cgit/templates/vhost.conf.j2 b/roles/cgit/templates/vhost.conf.j2
new file mode 100644
index 0000000..b3e2149
--- /dev/null
+++ b/roles/cgit/templates/vhost.conf.j2
@@ -0,0 +1,9 @@
+<VirtualHost *:80>
+    Include sites/{{ git_server_name }}/repocreate-plain.conf
+    Include sites/{{ git_server_name }}/server.conf
+</VirtualHost>
+<VirtualHost *:443>
+    Include sites/{{ git_server_name }}/ssl.conf
+    Include sites/{{ git_server_name }}/repocreate-ssl.conf
+    Include sites/{{ git_server_name }}/server.conf
+</VirtualHost>
diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml
index 367f47c..55f5b5f 100644
--- a/roles/sublab_web/defaults/main.yaml
+++ b/roles/sublab_web/defaults/main.yaml
@@ -1,2 +1,2 @@
 ---
-sublab_web_server_name: "sublab.org"
+sublab_web_server_name: "{{inventory_hostname}}"
diff --git a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/cert.pem b/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/cert.pem
deleted file mode 100644
index 48ccadc..0000000
--- a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/cert.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIJAKF4UGTy4i2cMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
-BAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcxDzANBgNV
-BAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xwZXJ0aW5n
-ZXIubm93aGVyZS53czAeFw0xNTA4MjYyMDU5MzdaFw0xNzA4MjUyMDU5MzdaMHQx
-CzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcx
-DzANBgNVBAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xw
-ZXJ0aW5nZXIubm93aGVyZS53czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBALWJeHqWcnGyiLZQSIxETvxxkZCwrgL4bUCj/iS/YXWHb/9fRw3NsDCz5P1G
-AZKqmn4oJmahMMWCJ1Ro37Ms/7MsShneUodcz13tIGuBI7RAcS0U8KK7JZ/x5wqv
-/1qDNUcTJGNCzYroKnNlMR6Y1ri8dRcBxYneNDAgYB2VbQI3+POuR4Ma89NyjsxD
-lSeA5JzpMD3fBF+BauqV0WoXNdOYV37vWG3nzmuy3qwfk00CP/nF+zkVBlG0sqw/
-vgfcv6yz71RdvfOD+NJCBUiWvoLCZCSKEByc91BOs5iObOWA98/cU8YyFzmPGOY5
-b8dOAJyhZKXVzPnFe2etlhBlNbUCAwEAAaNQME4wHQYDVR0OBBYEFHPz9TLW5CVt
-DobXXWgX/qP5fhFaMB8GA1UdIwQYMBaAFHPz9TLW5CVtDobXXWgX/qP5fhFaMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACSfz+XaYljMACvKFho7ifH5
-K3qhh+2i4Q9qS+G4mHcoGQP/rMGJE1Uv77mO0W072RSWp8Sc0xUS5Hlir6XZ3LXK
-oqfI0541GbksvwM5e2bKyBEcdoClcJt6J7uI5EWjOldXsQpLT1c0OaeHa/kGJ2pU
-nS9DzgdUPg7pRxLVE8+OH6UWb5V2BGqMXhV9ZF4iO1QBCRJpHcEp0pk2dSRD6Wdl
-aVcLI8Up70iy9SRA+iucJc9TqwyilDUE1bqo3eHsr2Nj+YNi3ZjrzjuB/LL8qr7G
-ePiXaq/uPASzCltwNLzKSEwwdndq8fYygsSS2m1zfzeuLXMH4VhL3F7bkCB9rsw=
------END CERTIFICATE-----
diff --git a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/chain.pem b/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/chain.pem
deleted file mode 100644
index 48ccadc..0000000
--- a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/chain.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIJAKF4UGTy4i2cMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
-BAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcxDzANBgNV
-BAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xwZXJ0aW5n
-ZXIubm93aGVyZS53czAeFw0xNTA4MjYyMDU5MzdaFw0xNzA4MjUyMDU5MzdaMHQx
-CzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcx
-DzANBgNVBAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xw
-ZXJ0aW5nZXIubm93aGVyZS53czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBALWJeHqWcnGyiLZQSIxETvxxkZCwrgL4bUCj/iS/YXWHb/9fRw3NsDCz5P1G
-AZKqmn4oJmahMMWCJ1Ro37Ms/7MsShneUodcz13tIGuBI7RAcS0U8KK7JZ/x5wqv
-/1qDNUcTJGNCzYroKnNlMR6Y1ri8dRcBxYneNDAgYB2VbQI3+POuR4Ma89NyjsxD
-lSeA5JzpMD3fBF+BauqV0WoXNdOYV37vWG3nzmuy3qwfk00CP/nF+zkVBlG0sqw/
-vgfcv6yz71RdvfOD+NJCBUiWvoLCZCSKEByc91BOs5iObOWA98/cU8YyFzmPGOY5
-b8dOAJyhZKXVzPnFe2etlhBlNbUCAwEAAaNQME4wHQYDVR0OBBYEFHPz9TLW5CVt
-DobXXWgX/qP5fhFaMB8GA1UdIwQYMBaAFHPz9TLW5CVtDobXXWgX/qP5fhFaMAwG
-A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACSfz+XaYljMACvKFho7ifH5
-K3qhh+2i4Q9qS+G4mHcoGQP/rMGJE1Uv77mO0W072RSWp8Sc0xUS5Hlir6XZ3LXK
-oqfI0541GbksvwM5e2bKyBEcdoClcJt6J7uI5EWjOldXsQpLT1c0OaeHa/kGJ2pU
-nS9DzgdUPg7pRxLVE8+OH6UWb5V2BGqMXhV9ZF4iO1QBCRJpHcEp0pk2dSRD6Wdl
-aVcLI8Up70iy9SRA+iucJc9TqwyilDUE1bqo3eHsr2Nj+YNi3ZjrzjuB/LL8qr7G
-ePiXaq/uPASzCltwNLzKSEwwdndq8fYygsSS2m1zfzeuLXMH4VhL3F7bkCB9rsw=
------END CERTIFICATE-----
diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml
index 50a2585..0aab602 100644
--- a/roles/sublab_web/tasks/main.yaml
+++ b/roles/sublab_web/tasks/main.yaml
@@ -31,26 +31,9 @@
   - wiki.conf
   notify: Reload apache
 
-- name: Create SSL DIR
-  file:
-    path=/etc/apache2/sites/{{ sublab_web_server_name }}/ssl
-    state=directory
-
-- name: Place SSL cert and chain
-  copy:
-    src=ssl/{{ sublab_web_server_name }}/{{item}}
-    dest=/etc/apache2/sites/{{ sublab_web_server_name }}/ssl/{{item}}
-  with_items:
-  - cert.pem
-  - chain.pem
-  notify: Reload apache
-
-- name: Place SSL key
-  copy:
-    content="{{ssl_keys[sublab_web_server_name]}}"
-    dest="/etc/apache2/sites/{{sublab_web_server_name}}/ssl/key.pem"
-    mode=0600
-  notify: Reload apache
+- include: ../../apache/tasks/ssl.yaml
+  vars:
+    ssl_server_name: "{{sublab_web_server_name}}"
 
 - name: Create Website group
   group: name=sublab_web