diff options
author | Richard Ipsum <richard.ipsum@codethink.co.uk> | 2014-02-19 10:18:24 +0000 |
---|---|---|
committer | Richard Ipsum <richard.ipsum@codethink.co.uk> | 2014-02-19 10:18:24 +0000 |
commit | 177c7efb7a048b0161c34fa5255d0f82af300680 (patch) | |
tree | 0c8e7fb0527f85c6fd37e14f4b9449b4c23d15d3 | |
parent | 2963562ec73e7b6a3994255358502a3cac039b50 (diff) | |
parent | 1fce00cc9c87b86055f116547d14fc94cc7842ea (diff) | |
download | trove-setup-177c7efb7a048b0161c34fa5255d0f82af300680.tar.gz |
Merge branch 'baserock/richardipsum/gitano_http'
This series contains the changes needed
to let trove use gitano's new http services
The main changes:
* trove-early-setup now generates an ssl certificate
so we can do https
* there are two lighttpd processes: one for gitano
and one for morph cache server. We do this because
gitano needs to run as the git user and morph
cache server needs to run as the cache user
The ruleset has also been updated to allow
anonymous clones over http
Reviewed by:
Richard Maw
-rw-r--r-- | Makefile | 9 | ||||
-rwxr-xr-x | bins/trove-early-setup | 12 | ||||
-rw-r--r-- | etc/gitano-setup.clod | 2 | ||||
-rw-r--r-- | etc/lighttpd/git-auth.conf | 10 | ||||
-rw-r--r-- | etc/lighttpd/git-httpd.conf | 67 | ||||
-rw-r--r-- | etc/lighttpd/morph-cache-httpd.conf (renamed from etc/lighttpd.conf) | 15 | ||||
-rw-r--r-- | gitano-admin/rules/defines.lace | 4 | ||||
-rw-r--r-- | gitano-admin/rules/other-project.lace | 2 | ||||
-rw-r--r-- | gitano-admin/rules/selfchecks.lace | 2 | ||||
-rw-r--r-- | units/lighttpd-git.service (renamed from units/lighttpd.service) | 2 | ||||
-rw-r--r-- | units/lighttpd-morph-cache.service | 7 |
11 files changed, 115 insertions, 17 deletions
@@ -6,8 +6,7 @@ install: for I in $$(cd units; ls); do \ ln -sf ../$$I "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/$$I"; \ done - mkdir -p "${DESTDIR}/etc" - cp etc/* "${DESTDIR}/etc" + cp -r etc "${DESTDIR}" mkdir -p "${DESTDIR}/var/www/htdocs" cp http-assets/* "${DESTDIR}/var/www/htdocs" ln -s cgit "${DESTDIR}/var/www/htdocs/cgi-bin" @@ -18,3 +17,9 @@ install: cp bins/* "${DESTDIR}/usr/bin/" mkdir -p "${DESTDIR}/usr/share/trove-setup" cp -r share/* "${DESTDIR}/usr/share/trove-setup/" + + ln -s /usr/lib/gitano/bin/gitano-command.cgi \ + "${DESTDIR}/var/www/htdocs/gitano-command.cgi" + + ln -s /usr/lib/gitano/bin/gitano-smart-http.cgi \ + "${DESTDIR}/var/www/htdocs/gitano-smart-http.cgi" diff --git a/bins/trove-early-setup b/bins/trove-early-setup index 6d7f9ef..eea068d 100755 --- a/bins/trove-early-setup +++ b/bins/trove-early-setup @@ -18,7 +18,7 @@ # -*- Make -*- -all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured +all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured cert-generated USERS := git lorry cache mason @@ -134,3 +134,13 @@ mason-configured: /home/git/.mason-setup .PHONY: nfs-configured nfs-configured: /etc/exports + +/home/git/.cert-generated: + mkdir -p /etc/lighttpd/certs + echo -ne '\n\n\n\n\n\n\n' | openssl req -new -x509 \ + -keyout /etc/lighttpd/certs/lighttpd.pem \ + -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes + touch $@ + +.PHONY: cert-generated +cert-generated: /home/git/.cert-generated diff --git a/etc/gitano-setup.clod b/etc/gitano-setup.clod index 96377c2..b63aeb6 100644 --- a/etc/gitano-setup.clod +++ b/etc/gitano-setup.clod @@ -13,4 +13,6 @@ admin.keyname "trove" site.name "##TROVE_TITLE## for ##TROVE_COMPANY##" log.prefix "##TROVE_LOG_PREFIX##" +use.htpasswd "yes" + setup.batch = true diff --git a/etc/lighttpd/git-auth.conf b/etc/lighttpd/git-auth.conf new file mode 100644 index 0000000..9b7a010 --- /dev/null +++ b/etc/lighttpd/git-auth.conf @@ -0,0 +1,10 @@ +auth.require = ( + "/" => ( + "method" => "basic", + "realm" => "Git Access", + "require" => "valid-user" + ) +) + +auth.backend = "htpasswd" +auth.backend.htpasswd.userfile = "/home/git/htpasswd" diff --git a/etc/lighttpd/git-httpd.conf b/etc/lighttpd/git-httpd.conf new file mode 100644 index 0000000..94e9c26 --- /dev/null +++ b/etc/lighttpd/git-httpd.conf @@ -0,0 +1,67 @@ +server.document-root = "/var/www/htdocs" + +server.port = 80 + +server.username = "git" +server.groupname = "git" + +server.modules = ( + "mod_access", + "mod_alias", + "mod_compress", + "mod_redirect", + "mod_cgi", + "mod_auth", + "mod_setenv", +) + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" +} + +index-file.names = ("index.html") + +cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1", + "gitano-smart-http.cgi" => "/usr/bin/lua5.1", + "cgit.cgi" => "" +) +cgi.execute-x-only = "enable" + +mimetype.assign = ( + ".html" => "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png", + ".css" => "text/css" +) + +$HTTP["url"] =~ ".*/gitano-command.cgi$" { + setenv.add-environment = ( + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["url"] =~ "^/git/.*$" { + alias.url += ( "/git" => "/var/www/htdocs/gitano-smart-http.cgi" ) + + cgi.assign = ("" => "") + setenv.add-environment = ( + "GIT_HTTP_EXPORT_ALL" => "", + "GIT_PROJECT_ROOT" => "/home/git/repos", + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["scheme"] == "https" { + include "git-auth.conf" + + $HTTP["querystring"] =~ "service=git-receive-pack" { + include "git-auth.conf" + } + + $HTTP["url"] =~ "^/git/.*/git-receive-pack$" { + include "git-auth.conf" + } +} diff --git a/etc/lighttpd.conf b/etc/lighttpd/morph-cache-httpd.conf index a69407f..65b9b22 100644 --- a/etc/lighttpd.conf +++ b/etc/lighttpd/morph-cache-httpd.conf @@ -1,16 +1,12 @@ server.document-root = "/var/www/htdocs" -server.port = 80 +server.port = 8080 -server.username = "git" -server.groupname = "git" +server.username = "cache" +server.groupname = "cache" server.modules += ("mod_cgi", "mod_fastcgi") -index-file.names = ("index.html") - -cgi.assign = ("cgit.cgi" => "") - mimetype.assign = ( ".html" => "text/html", ".txt" => "text/plain", @@ -19,7 +15,6 @@ mimetype.assign = ( ".css" => "text/css" ) - $SERVER["socket"] == ":8080" { server.username = "cache" server.groupname = "cache" @@ -37,11 +32,9 @@ $SERVER["socket"] == ":8080" { ) } - $SERVER["socket"] == ":8081" { server.username = "cache" - server.groupname = "cache" - fastcgi.server = ( + server.groupname = "cache" fastcgi.server = ( "" => ( "python-fcgi" => diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index ab49034..380948a 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -13,13 +13,15 @@ # User/group related define is_admin group gitano-admin define is_owner owner ${user} +define is_anonymous user gitano/anonymous define if_asanother as_user ~. # Self-related operations define op_whoami operation whoami define op_sshkey operation sshkey -define op_self anyof op_whoami op_sshkey +define op_passwd operation passwd +define op_self anyof op_whoami op_sshkey op_passwd # Admin-related operations diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace index a42c06a..7bc80cc 100644 --- a/gitano-admin/rules/other-project.lace +++ b/gitano-admin/rules/other-project.lace @@ -12,7 +12,7 @@ # There are two classes of accessors here. Lorry and Others allow "Anyone may read here" op_read -allow "Anyone may write here" op_write +allow "Anyone may write here" op_write !is_anonymous # Lorry can do anything reffy which is not inside the local refs allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace index 44e96bd..83ef778 100644 --- a/gitano-admin/rules/selfchecks.lace +++ b/gitano-admin/rules/selfchecks.lace @@ -11,3 +11,5 @@ allow "You may ask who you are" op_whoami allow "You may manage your own ssh keys" op_sshkey + +allow "You may change your own password" op_passwd diff --git a/units/lighttpd.service b/units/lighttpd-git.service index 589a595..b2f6315 100644 --- a/units/lighttpd.service +++ b/units/lighttpd-git.service @@ -3,5 +3,5 @@ Description=Lighttpd Web Server After=network.target [Service] -ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd.conf -D +ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/git-httpd.conf -D Restart=always diff --git a/units/lighttpd-morph-cache.service b/units/lighttpd-morph-cache.service new file mode 100644 index 0000000..cedd071 --- /dev/null +++ b/units/lighttpd-morph-cache.service @@ -0,0 +1,7 @@ +[Unit] +Description=Lighttpd Web Server +After=network.target + +[Service] +ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/morph-cache-httpd.conf -D +Restart=always |