From 1eb35a1e69d9a9f3f43340b9ea46d95bb2c1a0e8 Mon Sep 17 00:00:00 2001 From: Christian Franke Date: Fri, 28 Aug 2015 15:38:36 +0200 Subject: Add cgit role - git webfrontend --- roles/apache/tasks/ssl.yaml | 21 +++++++ roles/cgit/defaults/main.yaml | 2 + roles/cgit/files/cgit-assets/git.css | 2 + roles/cgit/files/cgit-assets/highlight.css | 19 ++++++ roles/cgit/files/cgit-assets/logo.png | Bin 0 -> 3224 bytes roles/cgit/files/cgit.source.filter | 9 +++ roles/cgit/meta/main.yaml | 3 + roles/cgit/tasks/main.yaml | 70 +++++++++++++++++++++ roles/cgit/templates/cgitrc.j2 | 8 +++ roles/cgit/templates/repocreate-plain.conf.j2 | 1 + roles/cgit/templates/repocreate-ssl.conf.j2 | 18 ++++++ roles/cgit/templates/server.conf.j2 | 19 ++++++ roles/cgit/templates/ssl.conf.j2 | 20 ++++++ roles/cgit/templates/vhost.conf.j2 | 9 +++ roles/sublab_web/defaults/main.yaml | 2 +- .../files/ssl/wolpertinger.nowhere.ws/cert.pem | 22 ------- .../files/ssl/wolpertinger.nowhere.ws/chain.pem | 22 ------- roles/sublab_web/tasks/main.yaml | 23 +------ 18 files changed, 205 insertions(+), 65 deletions(-) create mode 100644 roles/apache/tasks/ssl.yaml create mode 100644 roles/cgit/defaults/main.yaml create mode 100644 roles/cgit/files/cgit-assets/git.css create mode 100644 roles/cgit/files/cgit-assets/highlight.css create mode 100644 roles/cgit/files/cgit-assets/logo.png create mode 100644 roles/cgit/files/cgit.source.filter create mode 100644 roles/cgit/meta/main.yaml create mode 100644 roles/cgit/tasks/main.yaml create mode 100644 roles/cgit/templates/cgitrc.j2 create mode 100644 roles/cgit/templates/repocreate-plain.conf.j2 create mode 100644 roles/cgit/templates/repocreate-ssl.conf.j2 create mode 100644 roles/cgit/templates/server.conf.j2 create mode 100644 roles/cgit/templates/ssl.conf.j2 create mode 100644 roles/cgit/templates/vhost.conf.j2 delete mode 100644 roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/cert.pem delete mode 100644 roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/chain.pem (limited to 'roles') diff --git a/roles/apache/tasks/ssl.yaml b/roles/apache/tasks/ssl.yaml new file mode 100644 index 0000000..979d364 --- /dev/null +++ b/roles/apache/tasks/ssl.yaml @@ -0,0 +1,21 @@ +--- +- name: Create ssl DIR + file: + path=/etc/apache2/sites/{{ ssl_server_name }}/ssl + state=directory + +- name: Place SSL cert and chain + copy: + src=ssl/{{ ssl_server_name }}/{{item}} + dest=/etc/apache2/sites/{{ ssl_server_name }}/ssl/{{item}} + with_items: + - cert.pem + - chain.pem + notify: Reload apache + +- name: Place SSL key + copy: + content="{{ssl_keys[ssl_server_name]}}" + dest="/etc/apache2/sites/{{ssl_server_name}}/ssl/key.pem" + mode=0600 + notify: Reload apache diff --git a/roles/cgit/defaults/main.yaml b/roles/cgit/defaults/main.yaml new file mode 100644 index 0000000..28da704 --- /dev/null +++ b/roles/cgit/defaults/main.yaml @@ -0,0 +1,2 @@ +--- +git_server_name: "{{inventory_hostname}}" diff --git a/roles/cgit/files/cgit-assets/git.css b/roles/cgit/files/cgit-assets/git.css new file mode 100644 index 0000000..ed2ecd8 --- /dev/null +++ b/roles/cgit/files/cgit-assets/git.css @@ -0,0 +1,2 @@ +@import "cgit.css"; +@import "highlight.css"; diff --git a/roles/cgit/files/cgit-assets/highlight.css b/roles/cgit/files/cgit-assets/highlight.css new file mode 100644 index 0000000..99af709 --- /dev/null +++ b/roles/cgit/files/cgit-assets/highlight.css @@ -0,0 +1,19 @@ +/* Style definition file generated by highlight 3.6, http://www.andre-simon.de/ */ + +/* Highlighting theme: vim earendel */ + +/* body.hl { background-color:#ffffff; } */ +pre.hl { color:#000000; background-color:#ffffff; font-size:10pt; font-family:'Courier New';} +.hl.num { color:#a8660d; } +.hl.esc { color:#a80d9e; } +.hl.str { color:#a8660d; } +.hl.pps { color:#a8660d; } +.hl.slc { color:#558817; } +.hl.com { color:#558817; } +.hl.ppc { color:#0da818; } +.hl.opt { color:#000000; } +.hl.lin { color:#006666; } +.hl.kwa { color:#2239a8; font-weight:bold; } +.hl.kwb { color:#8c1d69; font-weight:bold; } +.hl.kwc { color:#a89222; font-weight:bold; } +.hl.kwd { color:#a8227b; } diff --git a/roles/cgit/files/cgit-assets/logo.png b/roles/cgit/files/cgit-assets/logo.png new file mode 100644 index 0000000..af1814f Binary files /dev/null and b/roles/cgit/files/cgit-assets/logo.png differ diff --git a/roles/cgit/files/cgit.source.filter b/roles/cgit/files/cgit.source.filter new file mode 100644 index 0000000..f5c8e88 --- /dev/null +++ b/roles/cgit/files/cgit.source.filter @@ -0,0 +1,9 @@ +#!/bin/sh +# store filename and extension in local vars +BASENAME="$1" +EXTENSION="${BASENAME##*.}" + +# map Makefile and Makefile.* to .mk +[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk + +exec highlight --force -f -S "$EXTENSION" 2>/tmp/cgit.filter diff --git a/roles/cgit/meta/main.yaml b/roles/cgit/meta/main.yaml new file mode 100644 index 0000000..0e24889 --- /dev/null +++ b/roles/cgit/meta/main.yaml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: apache diff --git a/roles/cgit/tasks/main.yaml b/roles/cgit/tasks/main.yaml new file mode 100644 index 0000000..cc18696 --- /dev/null +++ b/roles/cgit/tasks/main.yaml @@ -0,0 +1,70 @@ +--- +- name: Install cgit package and depencies + apt: name={{item}} state=present + with_items: + - cgit + - highlight + +- name: Install cgit highlighting script + copy: + src=cgit.source.filter + dest=/etc/cgit.source.filter + mode=0755 + +- name: Create cgit assets dir + file: + name=/var/www/{{ git_server_name }}/static + recurse=yes + state=directory + +- name: Put cgit assets + copy: + src="cgit-assets/{{item}}" + dest="/var/www/{{ git_server_name }}/static/{{item}}" + with_items: + - git.css + - highlight.css + - logo.png + +- name: Symlink cgit css + file: + name="/var/www/{{git_server_name}}/static/cgit.css" + state=link + src=../../../../usr/share/cgit/cgit.css + +- name: Symlink robots.txt + file: + name="/var/www/{{git_server_name}}/robots.txt" + state=link + src=../../../usr/share/cgit/robots.txt + +- name: Put cgit configuration + template: + src=cgitrc.j2 + dest=/etc/cgitrc + +- name: Put apache config + template: + src=vhost.conf.j2 + dest=/etc/apache2/sites-enabled/cgit.conf + +- name: Create config snippet dir + file: + name=/etc/apache2/sites/{{ git_server_name }} + recurse=yes + state=directory + +- name: Place config snippets + template: + dest=/etc/apache2/sites/{{ git_server_name }}/{{ item }} + src={{ item }}.j2 + with_items: + - repocreate-plain.conf + - repocreate-ssl.conf + - server.conf + - ssl.conf + notify: Reload apache + +- include: ../../apache/tasks/ssl.yaml + vars: + ssl_server_name: "{{git_server_name}}" diff --git a/roles/cgit/templates/cgitrc.j2 b/roles/cgit/templates/cgitrc.j2 new file mode 100644 index 0000000..bfca774 --- /dev/null +++ b/roles/cgit/templates/cgitrc.j2 @@ -0,0 +1,8 @@ +css=/static/git.css +logo=/static/logo.png +virtual-root=/ +root-title=sublab.org repo hosting +root-desc=harbouring chaos +enable-index-owner=0 +clone-prefix=git://{{ git_server_name }} git+ssh://git@{{ git_server_name }} +source-filter=/etc/cgit.source.filter diff --git a/roles/cgit/templates/repocreate-plain.conf.j2 b/roles/cgit/templates/repocreate-plain.conf.j2 new file mode 100644 index 0000000..e3fbc35 --- /dev/null +++ b/roles/cgit/templates/repocreate-plain.conf.j2 @@ -0,0 +1 @@ +RedirectMatch permanent ^/(create(/?|/.*))$ https://{{ git_server_name }}/$1 diff --git a/roles/cgit/templates/repocreate-ssl.conf.j2 b/roles/cgit/templates/repocreate-ssl.conf.j2 new file mode 100644 index 0000000..c9014be --- /dev/null +++ b/roles/cgit/templates/repocreate-ssl.conf.j2 @@ -0,0 +1,18 @@ +#Alias /create /var/www/git.sublab.org/htdocs/create +#ProxyPass /create/api http://127.0.0.1:8023/ +# +# +# Options -Indexes -ExecCGI +# Allow from * +# +# AuthType basic +# AuthBasicProvider ldap +# AuthName "LDAP Login" +# AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org" +# AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}" +# AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org" +# # AuthzLDAPAuthoritative on +# # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org +# Require valid-user +# +#LDAPTrustedMode TLS diff --git a/roles/cgit/templates/server.conf.j2 b/roles/cgit/templates/server.conf.j2 new file mode 100644 index 0000000..bd9de27 --- /dev/null +++ b/roles/cgit/templates/server.conf.j2 @@ -0,0 +1,19 @@ +ServerAdmin nobody-wolpertinger@nowhere.ws +ServerName {{ git_server_name }} + +# Serve static cgit files directly +Alias /static /var/www/{{ git_server_name }}/static +Alias /robots.txt /var/www/{{ git_server_name }}/robots.txt + + AllowOverride None + Options FollowSymlinks + Require all granted + + +# Dispatch other requests to CGI +ScriptAlias / "/usr/lib/cgit/cgit.cgi/" + + AllowOverride None + Options ExecCGI FollowSymlinks + Require all granted + diff --git a/roles/cgit/templates/ssl.conf.j2 b/roles/cgit/templates/ssl.conf.j2 new file mode 100644 index 0000000..c6b8fe3 --- /dev/null +++ b/roles/cgit/templates/ssl.conf.j2 @@ -0,0 +1,20 @@ +SSLEngine On + +SSLCertificateChainFile /etc/apache2/sites/{{ git_server_name }}/ssl/chain.pem +SSLCertificateFile /etc/apache2/sites/{{ git_server_name }}/ssl/cert.pem +SSLCertificateKeyFile /etc/apache2/sites/{{ git_server_name }}/ssl/key.pem + +SSLEngine On +SSLHonorCipherOrder on +SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv3 -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK +SSLCompression off + +#Header always set Strict-Transport-Security "max-age=15984000" + +SSLOptions StdEnvVars + +BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 +BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown diff --git a/roles/cgit/templates/vhost.conf.j2 b/roles/cgit/templates/vhost.conf.j2 new file mode 100644 index 0000000..b3e2149 --- /dev/null +++ b/roles/cgit/templates/vhost.conf.j2 @@ -0,0 +1,9 @@ + + Include sites/{{ git_server_name }}/repocreate-plain.conf + Include sites/{{ git_server_name }}/server.conf + + + Include sites/{{ git_server_name }}/ssl.conf + Include sites/{{ git_server_name }}/repocreate-ssl.conf + Include sites/{{ git_server_name }}/server.conf + diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml index 367f47c..55f5b5f 100644 --- a/roles/sublab_web/defaults/main.yaml +++ b/roles/sublab_web/defaults/main.yaml @@ -1,2 +1,2 @@ --- -sublab_web_server_name: "sublab.org" +sublab_web_server_name: "{{inventory_hostname}}" diff --git a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/cert.pem b/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/cert.pem deleted file mode 100644 index 48ccadc..0000000 --- a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDuzCCAqOgAwIBAgIJAKF4UGTy4i2cMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV -BAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcxDzANBgNV -BAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xwZXJ0aW5n -ZXIubm93aGVyZS53czAeFw0xNTA4MjYyMDU5MzdaFw0xNzA4MjUyMDU5MzdaMHQx -CzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcx -DzANBgNVBAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xw -ZXJ0aW5nZXIubm93aGVyZS53czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALWJeHqWcnGyiLZQSIxETvxxkZCwrgL4bUCj/iS/YXWHb/9fRw3NsDCz5P1G -AZKqmn4oJmahMMWCJ1Ro37Ms/7MsShneUodcz13tIGuBI7RAcS0U8KK7JZ/x5wqv -/1qDNUcTJGNCzYroKnNlMR6Y1ri8dRcBxYneNDAgYB2VbQI3+POuR4Ma89NyjsxD -lSeA5JzpMD3fBF+BauqV0WoXNdOYV37vWG3nzmuy3qwfk00CP/nF+zkVBlG0sqw/ -vgfcv6yz71RdvfOD+NJCBUiWvoLCZCSKEByc91BOs5iObOWA98/cU8YyFzmPGOY5 -b8dOAJyhZKXVzPnFe2etlhBlNbUCAwEAAaNQME4wHQYDVR0OBBYEFHPz9TLW5CVt -DobXXWgX/qP5fhFaMB8GA1UdIwQYMBaAFHPz9TLW5CVtDobXXWgX/qP5fhFaMAwG -A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACSfz+XaYljMACvKFho7ifH5 -K3qhh+2i4Q9qS+G4mHcoGQP/rMGJE1Uv77mO0W072RSWp8Sc0xUS5Hlir6XZ3LXK -oqfI0541GbksvwM5e2bKyBEcdoClcJt6J7uI5EWjOldXsQpLT1c0OaeHa/kGJ2pU -nS9DzgdUPg7pRxLVE8+OH6UWb5V2BGqMXhV9ZF4iO1QBCRJpHcEp0pk2dSRD6Wdl -aVcLI8Up70iy9SRA+iucJc9TqwyilDUE1bqo3eHsr2Nj+YNi3ZjrzjuB/LL8qr7G -ePiXaq/uPASzCltwNLzKSEwwdndq8fYygsSS2m1zfzeuLXMH4VhL3F7bkCB9rsw= ------END CERTIFICATE----- diff --git a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/chain.pem b/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/chain.pem deleted file mode 100644 index 48ccadc..0000000 --- a/roles/sublab_web/files/ssl/wolpertinger.nowhere.ws/chain.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDuzCCAqOgAwIBAgIJAKF4UGTy4i2cMA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV -BAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcxDzANBgNV -BAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xwZXJ0aW5n -ZXIubm93aGVyZS53czAeFw0xNTA4MjYyMDU5MzdaFw0xNzA4MjUyMDU5MzdaMHQx -CzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xlaXB6aWcx -DzANBgNVBAoMBnN1YmxhYjEPMA0GA1UECwwGc3VibGFiMSAwHgYDVQQDDBd3b2xw -ZXJ0aW5nZXIubm93aGVyZS53czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALWJeHqWcnGyiLZQSIxETvxxkZCwrgL4bUCj/iS/YXWHb/9fRw3NsDCz5P1G -AZKqmn4oJmahMMWCJ1Ro37Ms/7MsShneUodcz13tIGuBI7RAcS0U8KK7JZ/x5wqv -/1qDNUcTJGNCzYroKnNlMR6Y1ri8dRcBxYneNDAgYB2VbQI3+POuR4Ma89NyjsxD -lSeA5JzpMD3fBF+BauqV0WoXNdOYV37vWG3nzmuy3qwfk00CP/nF+zkVBlG0sqw/ -vgfcv6yz71RdvfOD+NJCBUiWvoLCZCSKEByc91BOs5iObOWA98/cU8YyFzmPGOY5 -b8dOAJyhZKXVzPnFe2etlhBlNbUCAwEAAaNQME4wHQYDVR0OBBYEFHPz9TLW5CVt -DobXXWgX/qP5fhFaMB8GA1UdIwQYMBaAFHPz9TLW5CVtDobXXWgX/qP5fhFaMAwG -A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACSfz+XaYljMACvKFho7ifH5 -K3qhh+2i4Q9qS+G4mHcoGQP/rMGJE1Uv77mO0W072RSWp8Sc0xUS5Hlir6XZ3LXK -oqfI0541GbksvwM5e2bKyBEcdoClcJt6J7uI5EWjOldXsQpLT1c0OaeHa/kGJ2pU -nS9DzgdUPg7pRxLVE8+OH6UWb5V2BGqMXhV9ZF4iO1QBCRJpHcEp0pk2dSRD6Wdl -aVcLI8Up70iy9SRA+iucJc9TqwyilDUE1bqo3eHsr2Nj+YNi3ZjrzjuB/LL8qr7G -ePiXaq/uPASzCltwNLzKSEwwdndq8fYygsSS2m1zfzeuLXMH4VhL3F7bkCB9rsw= ------END CERTIFICATE----- diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml index 50a2585..0aab602 100644 --- a/roles/sublab_web/tasks/main.yaml +++ b/roles/sublab_web/tasks/main.yaml @@ -31,26 +31,9 @@ - wiki.conf notify: Reload apache -- name: Create SSL DIR - file: - path=/etc/apache2/sites/{{ sublab_web_server_name }}/ssl - state=directory - -- name: Place SSL cert and chain - copy: - src=ssl/{{ sublab_web_server_name }}/{{item}} - dest=/etc/apache2/sites/{{ sublab_web_server_name }}/ssl/{{item}} - with_items: - - cert.pem - - chain.pem - notify: Reload apache - -- name: Place SSL key - copy: - content="{{ssl_keys[sublab_web_server_name]}}" - dest="/etc/apache2/sites/{{sublab_web_server_name}}/ssl/key.pem" - mode=0600 - notify: Reload apache +- include: ../../apache/tasks/ssl.yaml + vars: + ssl_server_name: "{{sublab_web_server_name}}" - name: Create Website group group: name=sublab_web -- cgit v1.2.1