From f38450f9f2037244300082f3e4211b790ac87058 Mon Sep 17 00:00:00 2001 From: Christian Franke Date: Mon, 26 Oct 2015 20:38:25 +0100 Subject: Assorted changes - add hooks between webserver and gitserver: git->website and wiki->git work now, git->wiki is still missing, https://ikiwiki.info/tips/Hosting_Ikiwiki_and_master_git_repository_on_different_machines/ should contain the right info for that - actually configure repo_service - replace LDAP auth with dummy password auth for now --- roles/cgit/files/htpasswd | 1 + roles/cgit/tasks/main.yaml | 4 + roles/cgit/templates/repocreate-ssl.conf.j2 | 21 +++- roles/git_server_rpc/tasks/main.yaml | 31 ++++++ .../templates/git_server_rpc.sudoers | 1 + roles/gitserver/tasks/as_gituser.yaml | 5 + roles/gitserver/tasks/main.yaml | 16 +++ .../templates/website-post-update-hook.j2 | 3 + roles/repo_service/defaults/main.yaml | 122 +++++++++++++++++++++ roles/repo_service/files/repo_service.service | 13 +++ roles/repo_service/handlers/main.yaml | 5 + roles/repo_service/meta/main.yaml | 4 + roles/repo_service/tasks/as_repo_service.yaml | 40 +++++++ roles/repo_service/tasks/main.yaml | 13 +++ roles/subdap/tasks/as_subdap.yaml | 2 +- roles/sublab_web/defaults/main.yaml | 116 +++++++++++++++++++- roles/sublab_web/files/htpasswd | 1 + roles/sublab_web/meta/main.yaml | 1 + roles/sublab_web/tasks/as_webuser.yaml | 2 +- roles/sublab_web/tasks/as_wikiuser.yaml | 29 ++++- roles/sublab_web/tasks/main.yaml | 4 + roles/sublab_web/templates/subdap-ssl.conf.j2 | 5 + roles/sublab_web/templates/website-rebuild.sh.j2 | 4 + roles/sublab_web/templates/wiki.conf.j2 | 23 ++-- vars/main.yaml | 1 + 25 files changed, 449 insertions(+), 18 deletions(-) create mode 100644 roles/cgit/files/htpasswd create mode 100644 roles/git_server_rpc/tasks/main.yaml create mode 100644 roles/git_server_rpc/templates/git_server_rpc.sudoers create mode 100644 roles/gitserver/templates/website-post-update-hook.j2 create mode 100644 roles/repo_service/defaults/main.yaml create mode 100644 roles/repo_service/files/repo_service.service create mode 100644 roles/repo_service/handlers/main.yaml create mode 100644 roles/repo_service/meta/main.yaml create mode 100644 roles/sublab_web/files/htpasswd diff --git a/roles/cgit/files/htpasswd b/roles/cgit/files/htpasswd new file mode 100644 index 0000000..4ba5edb --- /dev/null +++ b/roles/cgit/files/htpasswd @@ -0,0 +1 @@ +webuser:$apr1$CTQ3rSnN$MTEV4h/Y.9HBT1Apjey1t0 diff --git a/roles/cgit/tasks/main.yaml b/roles/cgit/tasks/main.yaml index 8c7f92b..595e738 100644 --- a/roles/cgit/tasks/main.yaml +++ b/roles/cgit/tasks/main.yaml @@ -72,6 +72,10 @@ - ssl.conf notify: Reload apache +- name: Place reposervice htpasswd + copy: dest=/etc/apache2/sites/{{ git_server_name }}/htpasswd + src=htpasswd + - include: ../../apache/tasks/ssl.yaml vars: ssl_server_name: "{{git_server_name}}" diff --git a/roles/cgit/templates/repocreate-ssl.conf.j2 b/roles/cgit/templates/repocreate-ssl.conf.j2 index c9014be..b1dd553 100644 --- a/roles/cgit/templates/repocreate-ssl.conf.j2 +++ b/roles/cgit/templates/repocreate-ssl.conf.j2 @@ -1,9 +1,12 @@ -#Alias /create /var/www/git.sublab.org/htdocs/create -#ProxyPass /create/api http://127.0.0.1:8023/ +Alias /create /var/lib/repo_service/src/frontend +ProxyPass /create/api http://127.0.0.1:8023/ + + + Options -Indexes -ExecCGI + Allow from * + # -# -# Options -Indexes -ExecCGI -# Allow from * +# Disable LDAP auth for now :/ # # AuthType basic # AuthBasicProvider ldap @@ -14,5 +17,11 @@ # # AuthzLDAPAuthoritative on # # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org # Require valid-user -# + +# And use basic auth instead + AuthType basic + AuthName "Wiki Login" + AuthUserFile "/etc/apache2/sites/{{ git_server_name }}/htpasswd" + Require valid-user + #LDAPTrustedMode TLS diff --git a/roles/git_server_rpc/tasks/main.yaml b/roles/git_server_rpc/tasks/main.yaml new file mode 100644 index 0000000..a69e9e3 --- /dev/null +++ b/roles/git_server_rpc/tasks/main.yaml @@ -0,0 +1,31 @@ +--- +- name: Create git_server_rpc user + user: name=git_server_rpc + home=/home/git_server_rpc + +- name: Create git_server_rpc ssh dir + file: path=/home/git_server_rpc/.ssh + owner=git_server_rpc + group=git_server_rpc + mode=0700 + state=directory + +- name: Make sure sudo is installed + apt: name=sudo state=present update_cache=yes + +- name: Configure git_server_rpc sudo rights + template: dest=/etc/sudoers.d/git_server_rpc + mode=0440 + src=git_server_rpc.sudoers + +- name: Read git user ssh-key + slurp: src=/var/lib/gitolite/.ssh/id_rsa.pub + register: git_server_key + delegate_to: "{{groups['gitservers'][0]}}" + +- name: Put pubkey from gitserver to authorized_keys + copy: dest=/home/git_server_rpc/.ssh/authorized_keys + content="{{git_server_key.content|b64decode}}" + owner=git_server_rpc + group=git_server_rpc + mode=0644 diff --git a/roles/git_server_rpc/templates/git_server_rpc.sudoers b/roles/git_server_rpc/templates/git_server_rpc.sudoers new file mode 100644 index 0000000..bd84908 --- /dev/null +++ b/roles/git_server_rpc/templates/git_server_rpc.sudoers @@ -0,0 +1 @@ +git_server_rpc ALL=(ALL) NOPASSWD: /var/www/{{sublab_web_server_name}}/website-rebuild.sh diff --git a/roles/gitserver/tasks/as_gituser.yaml b/roles/gitserver/tasks/as_gituser.yaml index 69157fd..9c4b67c 100644 --- a/roles/gitserver/tasks/as_gituser.yaml +++ b/roles/gitserver/tasks/as_gituser.yaml @@ -11,3 +11,8 @@ - name: Initialize gitolite and restore backup include: restore_gitolite.yaml when: not gitolite_dir.stat.exists + +- name: Put Post-update-hook for website + template: dest=/var/lib/gitolite/repositories/website.git/hooks/post-update + mode=0755 + src=website-post-update-hook.j2 diff --git a/roles/gitserver/tasks/main.yaml b/roles/gitserver/tasks/main.yaml index aca95f4..7143c64 100644 --- a/roles/gitserver/tasks/main.yaml +++ b/roles/gitserver/tasks/main.yaml @@ -13,6 +13,20 @@ name=git group=git home="/var/lib/gitolite" + generate_ssh_key=yes + +- name: Get Webserver Hostkey + slurp: src=/etc/ssh/ssh_host_ecdsa_key.pub + register: webserver_host_key + delegate_to: "{{groups['webservers'][0]}}" + +- name: Put Webserver Hostkey into knownhosts + lineinfile: dest=/var/lib/gitolite/.ssh/known_hosts + create=yes + owner=git + group=git + mode=0644 + line="{{groups['webservers'][0]}} {{webserver_host_key.content|b64decode}}" - name: Make git dir world readable file: @@ -32,6 +46,8 @@ - name: Ensure correct permissions on cgitrc.repo_service file: name=/etc/cgitrc.repo_service + owner=repo_service + group=repo_service mode=0644 - name: Configure git-daemon diff --git a/roles/gitserver/templates/website-post-update-hook.j2 b/roles/gitserver/templates/website-post-update-hook.j2 new file mode 100644 index 0000000..bdc655e --- /dev/null +++ b/roles/gitserver/templates/website-post-update-hook.j2 @@ -0,0 +1,3 @@ +#!/bin/sh + +exec ssh git_server_rpc@{{groups['webservers'][0]}} sudo /var/www/{{sublab_web_server_name}}/website-rebuild.sh diff --git a/roles/repo_service/defaults/main.yaml b/roles/repo_service/defaults/main.yaml new file mode 100644 index 0000000..b297c97 --- /dev/null +++ b/roles/repo_service/defaults/main.yaml @@ -0,0 +1,122 @@ +$ANSIBLE_VAULT;1.1;AES256 +33356535393466363739663333613465616166363139663531323631303032396466303261333334 +3632393239333765313863353735313263366533623663300a393130376563646639383261633636 +31616332653035366630323465333431626663393434303430363935396561646433383739346433 +3862376663646564650a383866663436663761353139633838653738313134653366376466303761 +30353030663330356463653530643234346131306534623466373337623530666266636637393539 +38343065363765626561376265336330363563356231643138376337623863356265363837313739 +65366534356666393231366263386139656636316632313865343363646566633738393834616234 +37343838663035373336383566336161643965373235383835313332356237393735313735383965 +30336333633566383638623439323034383938353334386633643936623630306632353933376536 +36643630386666636330373439663361343635343334643230623232346337373336663635633236 +65326337643265666634653332653964383634666432663631386164393739336132303634633235 +33373065646662323066653233646339623237616531303131653833373764643233323331626138 +32613031613436393531343734363338383331376466376663326232343463396665306137353030 +35636632336537643965343034373966613539663533663233336537646665393430663666393862 +37333635653537363539346135613934373133333639316436646364396261313533333164396638 +34363639306666303231306331373034316263323136616235353635616134613437343561656536 +33313565623737326130396264636365613036613034383962373339336162643065666138636266 +38613438643665326331393933613636373066316432356661623434343865303161303634626139 +38343137353361656435336161316563613730346637646466373035366262643965613437613739 +39333932366163386537623961386133373738383035333838383233636136633238653939623739 +33393732363938353935663566313333303166616663326664306337356661373161633865393038 +63383762363334336136306461356466633738633531666666656232376236626332396330653533 +63373764613133353964333530366635626230666365303766333330306338666531623531326265 +66633534616435623035666464656362626564356264356666353732353437323265363464643866 +64343564383432393461636563653435646530633566346434323966653232303335306333643535 +37303065666663376463613038656164366632366365623232353662383032613438353061336136 +34653939393363366263376433303163383461353232386134393236633136396437653637393134 +34393266303332326335343138393338626632353162393066666332303836326338323437313563 +61326338653631383637663065653730383330383031366266643066633363633533373161643032 +37666365313237386539376563336438356366666235376562303061313238353066383664396663 +31343065306433363165646139396162356365333831383537383332306536336461653631356234 +38643136316330333536346138303835326134656439613638356632363934373438383861653761 +35393333643364366133353465656664333232313635656634376536623532393130373839353262 +61393238613765303536613737383463323335343131313633646132323032366231323133613362 +64396361373533616535326664323865336333623935626261356235656566376163363932323935 +31316265356364666231353833353764353633613332386633396638613231336364343238303937 +35353037633031313438323336643636336230383762393434656562653038383761343461393462 +39303730643831326335376332313130653764393731393762376139623832373966366361646433 +38366633626239313666373035353261336132636537646163313164343064613534633230616565 +66323462633961356536353631383634326633373662613537376133306561333433303436363936 +66656364333732393666306362373665376430323133313333623462363362326461643062343163 +31356266336336313139393537346535616161366630653436343937306532386266353963386665 +39626165303462326137373637643264383163343638393837656631626533336633353339643762 +61313933616132633330333066313136383232353362383835623565373665383031393461383133 +35343335366437346466613338646239326161663533666431363231396130653531333331373334 +35663034663061323264373935313864353763366237316634383530326633376166303864313361 +33313061303666366132353839613932346336643131313364646435373639636634396437616362 +62316566663963666166663435653962363661336364306631616633616534643330386466646462 +33303330356238626435353030326232353962326364613362336265353532656633316364613430 +36613632353132616138633962626533373734313539346333366564363533383432306534383133 +63636635613865313437643161316337633661303334393130633135306330663430346432326639 +38343931353631333031316235343132373030316431613537333165393635336333336433396537 +36363035623062336361363736663563363766623632366633336235353833333966626264363162 +61386535633661643161346135633434653634353363383865346636643030303233633132323432 +65383364303461356333363936313831393038663334326232333631333162336461376263303030 +64363464653830613266636137393433303632323737306261663736393435646332623638336436 +39666464323638616635363832623730633239323433326536366132306330346435366130326462 +35623238616438656164336464303636323664646235356638306466373939633637653063656430 +38626564343666356635643732336464663666616135356562303636373932613665336466383834 +64366130373436623933386138633533646536666238613162383364613565323761373433336166 +62393832326239303738363234383164643065316133396439653338376330373166643762613638 +62393132613336633935633464313736386664343433343233386131656266393264616533343636 +34306636366330386538346333326632343165346363613930393238663631323663393036383262 +35613637643664663730363631653336323534633062373434316538313366343432613162646435 +36643038323136386166656436303766626263353961383733643632613535383333346537303336 +35646265316239343363643065336232633362363031643963306539626666353434363838613632 +31613665346366356137646663643338653635306563616137663835666264636636643662396164 +38393066656666646634623638623662363338663930643231383330613036306631346338376234 +36373661626438636261656533653931636663613362623363616266656532616361366536363239 +38666135333763643137386433623039353837323532366336353731353636353366376431356634 +33646262313033373335306161626661633038333664613738353232663565373563636433373239 +64393037386536653064303462653231383531643038366335306537393761616333393630303263 +34633131323861383938363461393065383766643532373761666233343436366366396333366533 +36366361346164666533626135653434366163373730353634633163636431323361383865323166 +63393562393236393063616564666637346165363634356161616662346534646638396163636262 +34396633323634326130353836386261333136636136393736396435626439646530313864396366 +66336435643462396663336232316164316331396634366533313130346264346365633263643032 +37666266323131386561393332626362333231316330313433333964343731386466383362656135 +63373064346464343366373333326638393365643634303238653363623730363635643866386436 +38306537356563363962666366623137623762396233366136346365623332636231636366626335 +65613934346662376338393537326532396661316263623062303662613266653930323132336236 +37323730353662343939343331373335346464626235666263663865653630333434303433363039 +30343561343130313831373835383665306435343232623330393439323334346262396439306534 +30636230653964613030613663656466316637643632336662343339323562613730346336393465 +63663261373538383063376534376165363162323333363937356265656366303432343137343836 +63373730373339663530663932643838333039396231323438353165666563313962623835623266 +34336436333836386435613862383962346435323463323735643562396463663664316537666631 +35373635303864643837366135373430353364663333356261363364353765633965356437623336 +30343435313962653662656537666630333330396631323162333133363963346564356237336462 +31346639363939633263633738623834643433393264303161346466303830353465626365313665 +35623933653963616136313437653339356239633166666238353039313066336138613362633930 +64616130363835386161653034623833323866363066313461313531643765353666363133376265 +31663462666433643464313632636263633939643636343133386632613237613866356530643561 +64356135613630303166633736333363366339663336336630643864393835623439306261666234 +33346335363935653032363436343464393636396430626366376235373263333433663035653263 +38373036333237643261626335373436386439353538333337623139396433313963343634633262 +30383633386436343031323537383231336265333632633237303465373936396535343336386333 +38363261656639663064376234636266666334316532323462366430613632386234656438646436 +63613339343361663030316437383763616664626537306635303438356264373434656164366663 +37376366623865333133383361303365313962386338613733373164303235666132313265653535 +31343762366332353061396466633065643566323738393633393836306265346437373633373632 +33383637373336353362613733626237633164616538633963356132366164303933366533336538 +65663330353434616165393264373463613239343332616430666530636263656366643965366230 +31626630313462343235646533613366613931363039626633316231346565366637633136363131 +64323634663664636534376139653135303432386633373933346233333135336635353637653136 +36356435363466333561623063666466633238343136396565333331663662353334613265643063 +30626562393564633762336230646436356337306361623333653332346463663831383262323033 +65303766616636393336613762656562353163316231323739653936643962643864383864303730 +31626662656431623465663432386363666632613761653832636634323366353663656435313734 +33366434353764633330366565303538316566363463313266613464653133623163613533626237 +32393363303533346630333838313366313264636636343735326133653134373035363662616231 +30366535646362666535636564656661383138346632316539626666393164613938323033383936 +66643232313362333632313362643032373039346331343965393837323138303364316634663035 +30623761396564306564336662613238623365623866383339636662393735643666383231313366 +39336435383233306330346338643164663731366362646362363330343965653230653863643339 +66316462666435336334653432383161653563353532386662636364316666623331616135383737 +36313863666531313062643636643832616335356336393265323132303630303666656130356235 +61643165393134386438303136616665386265373534666136663563313035336432366162643661 +62316638646262376563633835643164376530643063373731373338363063353763656138663264 +61313432363039316265323131336566663365376163323032663833636639363437396564666261 +30636537373534643931383738643864303661383736323639333062663539323464 diff --git a/roles/repo_service/files/repo_service.service b/roles/repo_service/files/repo_service.service new file mode 100644 index 0000000..15c40ea --- /dev/null +++ b/roles/repo_service/files/repo_service.service @@ -0,0 +1,13 @@ +[Unit] +Description=repository creation service +After=network.target + +[Service] +User=repo_service +Group=repo_service +WorkingDirectory=/var/lib/repo_service/src/backend +ExecStart=/usr/bin/python /var/lib/repo_service/src/backend/repo_service.py +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/repo_service/handlers/main.yaml b/roles/repo_service/handlers/main.yaml new file mode 100644 index 0000000..4ed34df --- /dev/null +++ b/roles/repo_service/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: Restart repo_service + service: + name: repo_service + state: restarted diff --git a/roles/repo_service/meta/main.yaml b/roles/repo_service/meta/main.yaml new file mode 100644 index 0000000..7947c74 --- /dev/null +++ b/roles/repo_service/meta/main.yaml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: common + when: false diff --git a/roles/repo_service/tasks/as_repo_service.yaml b/roles/repo_service/tasks/as_repo_service.yaml index 6b364d8..b9a99ab 100644 --- a/roles/repo_service/tasks/as_repo_service.yaml +++ b/roles/repo_service/tasks/as_repo_service.yaml @@ -3,3 +3,43 @@ git: repo=https://github.com/cfra/repo_service.git dest=/var/lib/repo_service/src + notify: + - Restart repo_service + +- name: Create .ssh dir + file: + path="/var/lib/repo_service/.ssh" + state=directory + mode=0700 + +- name: Add repo_service ssh privkey + copy: + dest="/var/lib/repo_service/.ssh/id_rsa" + content="{{repo_service_privkey}}" + mode=0600 + +- name: Add repo_service ssh pubkey + copy: + dest="/var/lib/repo_service/.ssh/id_rsa.pub" + content="{{repo_service_pubkey}}" + mode=0644 + +- name: Read Gitserver Hostkey + slurp: src=/etc/ssh/ssh_host_ecdsa_key.pub + register: gitserver_host_key + +- name: Put Gitserver Hostkey into knownhosts + lineinfile: dest=/var/lib/repo_service/.ssh/known_hosts + create=yes + owner=repo_service + group=repo_service + mode=0644 + line="127.0.0.1 {{gitserver_host_key.content|b64decode}}" + +# Configure git +- name: Configure git push for repo service + command: git config --global push.default simple +- name: Configure git name + command: git config --global user.name "Repo Service {{ansible_hostname}}" +- name: + command: git config --global user.email "nobody@nowhere.ws" diff --git a/roles/repo_service/tasks/main.yaml b/roles/repo_service/tasks/main.yaml index b17319c..19139e0 100644 --- a/roles/repo_service/tasks/main.yaml +++ b/roles/repo_service/tasks/main.yaml @@ -12,3 +12,16 @@ become: yes become_user: repo_service become_method: su + +- name: Create systemd service + copy: + src=repo_service.service + dest=/etc/systemd/system/repo_service.service + notify: + - Reload systemd daemons + - Restart repo_service + +- name: Enable systemd service + service: + name: repo_service + enabled: yes diff --git a/roles/subdap/tasks/as_subdap.yaml b/roles/subdap/tasks/as_subdap.yaml index f0b9073..f51e098 100644 --- a/roles/subdap/tasks/as_subdap.yaml +++ b/roles/subdap/tasks/as_subdap.yaml @@ -2,7 +2,7 @@ - name: Clone subdap code git: dest=/var/subdap/src - repo=git://git.sublab.org/subdap + repo="git://{{ groups['gitservers'][0] }}/subdap" accept_hostkey=yes - name: Setup virtualenv for subdap diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml index 55f5b5f..2122383 100644 --- a/roles/sublab_web/defaults/main.yaml +++ b/roles/sublab_web/defaults/main.yaml @@ -1,2 +1,114 @@ ---- -sublab_web_server_name: "{{inventory_hostname}}" +$ANSIBLE_VAULT;1.1;AES256 +33643763303764333037643462663530636364373132666663353165383739636563393636346136 +6634613765343031363935363233663833373238346431360a316133303361313631373732643665 +37343631363437643663306537323039363835636135363537323063386566383832323933646535 +6163623431306139320a343161356565613665623834396465353530383265313565663962333131 +62363737633463303736313034373639383661373566386264303938353532393436366564316262 +64353137316639313464663230346663313639636365663434643637303336373836623865343633 +30623530383761636462326335363635386434313830393130613366386161333230383531646139 +37336631326137663332353930616665623265643835356433343137383334393961356664366366 +66396430396366383133613130616231306333636631376366633137356535373339373539383865 +34626561326331613831636362313563353264336466366161376634363236653638396632343930 +61363531333166336131323133613662373933393665316365633536333864623737616333363161 +63616433393437656438633636663635653433396330313730333437316337363839383935393561 +33343166616161626464623837643262653934643032653563653632653933343764336161356364 +30333261393134373062616561363762616262306661373264333762643039613966323539326233 +30386564316330633565393865663561323036356163313430616235386661373465383039663631 +31316461346339323263363830373438653430333830656332346437626436633333333864356461 +61363532636134306335363936316331663930626462353738656535613736373364626233656436 +38333535326631336165363263663565656537333363303638356632306430363563383031636661 +34346436366539306236653264383731393430313765376161613234633162376634656563316339 +62633832643738643733323165323262613466353332353661616634303037623935616235383233 +37653735633564373739656538633563393265316663303132623139663439613964613738346366 +35376131376537303038613135653938396133626338306137346331356463373361343065633431 +36616462386666656566346230303235393634666261316262663939306338393635333338346435 +61393834623835393065366563323932653539623439626662633032306165636565393337313038 +37346237393435383232343236653836323666333838623132383537376230646666643338366564 +34306461663434626562303435313532613565643935356361616332383661306633356435653564 +62363332643639336430326161663663303038633364356237373265623433333062386135366161 +31633236373664383939393162326638316533663334366431393930333337626336353539393364 +64356366666366383962346138333436353232383563373332306339306532613532613337376335 +62383235373635316161656166616433633761626462316136613861643161313237316239353164 +30666637653039306431353737336635356532336662363361386538306563333432303461303235 +35316362643765353433306464393764313863303230656631323864363736653636356134373537 +31363339343137373536363134333761616133656339373263373866666333643262336331303838 +38633265366662643966616262653736626339393566343938646638323862333461393366623936 +66343964323137653238336661333039323334366135383837333038393336373332613937623633 +35383835643737306366623831653838323433353763653866393532623165633634366238383731 +37643930666462666434646336383631646135353436363161306335643064353730616462653537 +62303838323839333163653038303238353738336337363461396635373439333139376636353034 +62323832356538613664346239623533383564363264373464326433623065396239316334633332 +37336364363362343832633063626236666661303464303631653733393539386330656361346334 +36616131353336353062353934393234376633633138383332663130343230626536353465356264 +35356266646165303638663837656230373839396137646366636330323735366466623061333030 +37346162336538363130303839346561363336613266623738353065383263626433326433643937 +35656162636531363364313337666635333261343539636432333763653033363839356562653331 +32396536343630366538343764623561363461643431663861613139343965303664376631636432 +33306330373538383038373966343839383737326535333136316565623737373630323265326666 +30386533373637343538313734333361353766656536306638373633326236643038326432386563 +30616437343465323531663737343833373336663366313839616238653065386137306434396232 +36383435623434353035313161363730306533386533366234626531306131613862343463613936 +66303664333434623932333764633063353236303364353166303036333439666630323137343365 +36663831633131383438336639353833613439623434613164613066653361613330366164336233 +63656139373630316639326561386233653634333564616432613063383930376232656264323363 +39353934386335373532623463663637346466393636346131356631343830343931663064326138 +31323236396162323335643036343936633332393966396662303530663535313366353061653831 +34613536333462646463326461643463396162393934666433376136373933363465643866643939 +66356135653038316137666264306666623464306664323530316334663236306262623338663262 +30313636623434646366356632643566376333353633653232643130666561643663386661663336 +62316366626261636534313962373832383661623937313864383031363032623761353139316637 +32323035653964623961363766383966643964653365316530393339363264363133663833396466 +33633834396565326634366364313062336630646666653537623066626137343537653031396630 +35666463633264376664623765666536663630613338356236373133336365316432353362633731 +34373531373764343064346562346461366436336433313764393964356665323337316435353932 +66633734323035313835366439343763336565303833623830366439333432663837373262643030 +61633039313565313761653466383066346231666333323662336132313165666531356637383031 +37313962313965623665313436306430376637666334626335643366653935313336323632636433 +36643863613764653161613432633436313535333436336565383932393034656231633031623564 +35633865666139336337336535663464303437636161323566633839643263396138376636623636 +39633636363133336430383962313765636463316532633238653366653637636561323064303466 +61356664313035643935383734623462386439393562626161383130656238343734636134653564 +35353430316133373433393235313261303434363364303563383839386137646465616464393366 +34323962373036646530313362383766316464336461343935333166303630653133333561316265 +36366531326465323839633434656363383563343138373862666666653865376637333932343136 +62383439396231306133353833663738333462383766666337366566343136313731623437323530 +39306165636564336338616635666239346661373831386437663066343664326438313135616230 +63353062636133656566666364343630316564316233393664353938356434356332346631386163 +35663334356235346539393966616663303163323033653330343335323762353637333965366262 +39346136613635363831393734303832316234326536316165373235636531303562663762393766 +66376364323635623233666330663764616263366236393032393138643038353634316132663166 +37343163386164663233356237346561656665363638373835333763666537613939393434393364 +36353763306635353239346566613966343836336236653432313833393631616161303330656531 +36386264383234303135386137633166323438386435346337393032393865613038303264393435 +62363663343064336362623532383262373231616133396164643032653161646639613030623833 +61336436363666356236396533356666656463333536386335346330613263316636303561396433 +62653236393432376135663565633431656437333266343264323435653030363262633439633434 +34333931393465313831346434373837373138626538633262306464366634626234363963396165 +36663862626634626634623330643830646235323334636139633564646139353336653962366537 +33303764323034663630306265636136363838393630653731323137313964386463643563383662 +34393030326361373138356161303363383637343162646331326133336138313038326664623338 +65326466343131323538333661346538333338646433366365663637303832323265363939373434 +30623264373934313538646334633766363731663163633633386565336335653261663533363839 +65393638613430623938356131323837653739363066306566613065653330343064666163306563 +64356363653337343733343239336635643634303532353034353434333935336662386139643261 +33376365613065306566626135306235393938316337343464636333623165373931633038616133 +64636266393538663361353632303433616562393266346266613831346431306464666633383834 +37366330663561303164373937613064386566643164383433333539356534346136356339623265 +63323431626264366431336435316562623735633131633033313335616231616663346231656363 +30393931376635393366376464366135626339663461306663353037376566616365343066386235 +39613236316663363639613630333939326231643135373362666432666535663630353033616235 +65616435316464326134623666313632373932636439653334366235656461623532613037393430 +35393537316264313963386334646539383038326664643064366430326261383335646638616238 +62653633633838643366323533666165353631666339323036373733333438663863306337306464 +39643337616431363164393433356264616132666665373464383966306135636634623064633166 +32316334363134323932663763366638373234356230333139393535353266373530343065623361 +62313363663233323132643163663163326639303436336165363132633766356237333638336162 +66323232366538656330336463663132323832343737386665353063323163323030643032313162 +30323039346337613834356361616237323166303430363638623863323238653630313630633331 +38643035363464313034626537653061633339613665363539323566663039633130303130376365 +30633665346463656133306465343463383832626562663638343365353338643937306161653762 +37363634343165383333656461396636353963323166383362663036633431373733313963303930 +38346663393431363330396433386462353332353634313336313436386465613830333632333234 +33346361396563616163356333653661613861623863346537313136343865323638313065656333 +66393236323339646633663433396166636537323232323238666635356464623031313139623432 +34656237366633646464306163373230383864316565663438343262343333393765 diff --git a/roles/sublab_web/files/htpasswd b/roles/sublab_web/files/htpasswd new file mode 100644 index 0000000..4ba5edb --- /dev/null +++ b/roles/sublab_web/files/htpasswd @@ -0,0 +1 @@ +webuser:$apr1$CTQ3rSnN$MTEV4h/Y.9HBT1Apjey1t0 diff --git a/roles/sublab_web/meta/main.yaml b/roles/sublab_web/meta/main.yaml index f185875..3d84cbe 100644 --- a/roles/sublab_web/meta/main.yaml +++ b/roles/sublab_web/meta/main.yaml @@ -2,3 +2,4 @@ dependencies: - role: apache - role: subdap + - role: git_server_rpc diff --git a/roles/sublab_web/tasks/as_webuser.yaml b/roles/sublab_web/tasks/as_webuser.yaml index 859c1bf..c6725aa 100644 --- a/roles/sublab_web/tasks/as_webuser.yaml +++ b/roles/sublab_web/tasks/as_webuser.yaml @@ -11,7 +11,7 @@ - name: Clone sublab website git: dest="/var/www/{{sublab_web_server_name}}/htdocs" - repo=git://git.sublab.org/website + repo="git://{{ groups['gitservers'][0] }}/website" accept_hostkey=yes update=no notify: Rebuild subweb website diff --git a/roles/sublab_web/tasks/as_wikiuser.yaml b/roles/sublab_web/tasks/as_wikiuser.yaml index adfa473..bd30e9d 100644 --- a/roles/sublab_web/tasks/as_wikiuser.yaml +++ b/roles/sublab_web/tasks/as_wikiuser.yaml @@ -22,12 +22,39 @@ src=ikiwiki-editpage.tmpl dest="/home/wiki-{{sublab_web_server_name}}/templates/editpage.tmpl" +- name: Create .ssh dir + file: + path="/home/wiki-{{sublab_web_server_name}}/.ssh" + state=directory + mode=0700 + +# This ssh keypair is authorized to push to the git-server wiki repo +- name: Put ssh pubkey + copy: + dest="/home/wiki-{{sublab_web_server_name}}/.ssh/id_rsa.pub" + content="{{wiki_user_pubkey}}" + mode=0644 + +- name: Put ssh privkey + copy: + dest="/home/wiki-{{sublab_web_server_name}}/.ssh/id_rsa" + content="{{wiki_user_privkey}}" + mode=0600 + +# Configure git +- name: Configure git push for wikiuser + command: git config --global push.default simple +- name: Configure git name + command: git config --global user.name "Wiki User {{ansible_hostname}}" +- name: + command: git config --global user.email "nobody@nowhere.ws" + # Updates to git are pushed automatically and should not # go through ansible - this is for initial deployment only - name: Clone wiki git git: dest="/home/wiki-{{sublab_web_server_name}}/wiki" - repo=git://git.sublab.org/ikiwiki + repo=git+ssh://git@{{groups['gitservers'][0]}}/ikiwiki accept_hostkey=yes update=no notify: Rebuild ikiwiki diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml index 7416cba..145c549 100644 --- a/roles/sublab_web/tasks/main.yaml +++ b/roles/sublab_web/tasks/main.yaml @@ -31,6 +31,10 @@ - wiki.conf notify: Reload apache +- name: Place wiki htpasswd + copy: dest=/etc/apache2/sites/{{ sublab_web_server_name }}/htpasswd + src=htpasswd + - include: ../../apache/tasks/ssl.yaml vars: ssl_server_name: "{{sublab_web_server_name}}" diff --git a/roles/sublab_web/templates/subdap-ssl.conf.j2 b/roles/sublab_web/templates/subdap-ssl.conf.j2 index bec8c54..2e543b8 100644 --- a/roles/sublab_web/templates/subdap-ssl.conf.j2 +++ b/roles/sublab_web/templates/subdap-ssl.conf.j2 @@ -1,3 +1,4 @@ +{% if 0 %} ProxyPass "http://127.0.0.1:8001/" @@ -11,3 +12,7 @@ Alias /subdap/static /var/subdap/src/static AllowOverride None Require all granted +{% else %} +RedirectMatch temp ^/(subdap(/?|/.*))$ https://{{ sublab_web_server_name }}/account-creation-suspended +{% endif %} + diff --git a/roles/sublab_web/templates/website-rebuild.sh.j2 b/roles/sublab_web/templates/website-rebuild.sh.j2 index ac29e3d..5cd3964 100644 --- a/roles/sublab_web/templates/website-rebuild.sh.j2 +++ b/roles/sublab_web/templates/website-rebuild.sh.j2 @@ -3,6 +3,10 @@ # {{ ansible_managed }} # +if [ "$USER" != "sublab_web" ]; then + exec sudo -u sublab_web /var/www/{{sublab_web_server_name}}/website-rebuild.sh +fi + cd /var/www/{{sublab_web_server_name}}/htdocs if [ x"$1" != x"-l" ]; then diff --git a/roles/sublab_web/templates/wiki.conf.j2 b/roles/sublab_web/templates/wiki.conf.j2 index 5328335..a5c47ba 100644 --- a/roles/sublab_web/templates/wiki.conf.j2 +++ b/roles/sublab_web/templates/wiki.conf.j2 @@ -6,14 +6,23 @@ Alias /wiki/ /home/wiki-{{ sublab_web_server_name }}/wiki-html/ Options +ExecCGI +# +# Disable LDAP auth for now :/ +# +# AuthType basic +# AuthBasicProvider ldap +# AuthName "LDAP Login" +# AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org" +# AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}" +# AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org" +# # AuthzLDAPAuthoritative on +# # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org +# Require valid-user + +# And use basic auth instead AuthType basic - AuthBasicProvider ldap - AuthName "LDAP Login" - AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org" - AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}" - AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org" - # AuthzLDAPAuthoritative on - # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org + AuthName "Wiki Login" + AuthUserFile "/etc/apache2/sites/{{ sublab_web_server_name }}/htpasswd" Require valid-user LDAPTrustedMode TLS diff --git a/vars/main.yaml b/vars/main.yaml index 448afa4..c3a325b 100644 --- a/vars/main.yaml +++ b/vars/main.yaml @@ -1,2 +1,3 @@ --- ldap_url: "ldaps://{{ groups['authservers'][0] }}" +sublab_web_server_name: "{{hostvars[groups['webservers'][0]]['sublab_web_server_name']|default(groups['webservers'][0])}}" -- cgit v1.2.1