diff options
author | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-13 16:24:45 +0100 |
---|---|---|
committer | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-13 16:24:45 +0100 |
commit | ceb0f917bf881a65fb254468ab4c0175d4b88798 (patch) | |
tree | fd4f6a8cdcba18f3f496d22ded6e683aff5b8b3b | |
parent | d82ae7b8ea50962f40c7e468242ae207fd628483 (diff) | |
download | trove-setup-ceb0f917bf881a65fb254468ab4c0175d4b88798.tar.gz |
Lorry setup
-rwxr-xr-x | bins/trove-early-setup | 14 | ||||
-rw-r--r-- | gitano-admin/groups/workers.conf | 1 | ||||
-rw-r--r-- | gitano-admin/rules/defines.lace | 2 | ||||
-rw-r--r-- | gitano-admin/rules/project.lace | 4 | ||||
-rw-r--r-- | gitano-admin/users/lorry/user.conf | 2 |
5 files changed, 22 insertions, 1 deletions
diff --git a/bins/trove-early-setup b/bins/trove-early-setup index 1ba4e3a..9c8fd65 100755 --- a/bins/trove-early-setup +++ b/bins/trove-early-setup @@ -27,5 +27,17 @@ $(eval $(foreach USER,$(USERS),$(call make_user_rules,$(USER)))) users: $(ALL_USER_TARGETS) -gitano-configured: users +gitano-setup: /home/git/.gitano-setup +/home/git/.gitano-setup: su -c 'gitano-setup /etc/gitano-setup.clod' - git + touch $@ + +gitano-configured: gitano-lorry-setup + +gitano-lorry-setup: /home/git/.gitano-lorry-setup + +/home/git/.gitano-lorry-setup: + cp /home/lorry/.ssh/id_rsa.pub /tmp/lorry.pub + su -c 'ssh git@localhost as lorry sshkey add trove < /tmp/lorry.pub' - git + rm /tmp/lorry.pub + diff --git a/gitano-admin/groups/workers.conf b/gitano-admin/groups/workers.conf new file mode 100644 index 0000000..1c84acf --- /dev/null +++ b/gitano-admin/groups/workers.conf @@ -0,0 +1 @@ +description "Workers who have read-access to everything" diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index 402190e..d243afd 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -98,3 +98,5 @@ define target_group_gitano_admin targetgroup gitano-admin define is_lorry user lorry define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ + +define is_worker group workers diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace index 3144c64..862b8a3 100644 --- a/gitano-admin/rules/project.lace +++ b/gitano-admin/rules/project.lace @@ -11,6 +11,10 @@ # Admins already got allowed, so this is for non-admin users only allow "Owners can always read and write" op_is_basic is_owner repo_is_personal +# Any non-gitano-admin repo is readable to the lorry user and the worker group +allow "Lorry may read" op_read !is_admin_repo is_lorry +allow "Workers may read" op_read !is_admin_repo is_worker + # Force /baserock and /delta to always be anon-readable which means git:// will # work. This is part of the core ruleset for Baserock because /baserock/ and # /delta/ are always open source. diff --git a/gitano-admin/users/lorry/user.conf b/gitano-admin/users/lorry/user.conf new file mode 100644 index 0000000..417950b --- /dev/null +++ b/gitano-admin/users/lorry/user.conf @@ -0,0 +1,2 @@ +email_address "lorry@trove-instance" +real_name "Source Code Lorry Service" |