lighttpd: Add support for installing SSL certs

Change-Id: I33c74dc19e5835c65740f483aae89a1e8e415f0c

2 files changed, 96 insertions, 2 deletions

diff --git a/ansible/roles/trove-setup/tasks/lighttpd.yml b/ansible/roles/trove-setup/tasks/lighttpd.yml
index d757b5d..d460c51 100644
--- a/ansible/roles/trove-setup/tasks/lighttpd.yml
+++ b/ansible/roles/trove-setup/tasks/lighttpd.yml
@@ -7,12 +7,32 @@
               -keyout /etc/lighttpd/certs/lighttpd.pem \
               -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes
          creates=/etc/lighttpd/certs/lighttpd.pem
+  when: TROVE_SSL_PEMFILE is not defined
+
+- name: Copy pemfile certificate for lighttpd if provided
+  copy:
+    src: "{{ TROVE_SSL_PEMFILE }}"
+    dest: /etc/lighttpd/certs/lighttpd.pem
+    mode: 0400
+  when: TROVE_SSL_PEMFILE is defined
+
+- name: Copy ca-certs certificate for lighttpd if provided
+  copy:
+    src: "{{ TROVE_SSL_CA_FILE }}"
+    dest: /etc/lighttpd/certs/ca-certs.pem
+    mode: 0400
+  when: TROVE_SSL_CA_FILE is defined
 
 - name: Create /var/run/lighttpd for cache user
   file: path=/var/run/lighttpd state=directory owner=cache group=cache
 
-# Now that the lighttpd certificates and the /var/run/lighttpd exist, we can
-# enable the lighttpd-git service
+- name: Create git-httpd.conf from template
+  template:
+    src: lighttpd/git-httpd.conf
+    dest: /etc/lighttpd/git-httpd.conf
+
+# Now that the lighttpd certificates, configuration files and /var/run/lighttpd
+# exist, we can enable the lighttpd-git service
 - name: Enable lighttpd-git service
   service: name=lighttpd-git.service enabled=yes
   register: lighttpd_git_service
diff --git a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
new file mode 100644
index 0000000..8b4a22e
--- /dev/null
+++ b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
@@ -0,0 +1,74 @@
+server.document-root = "/var/www/htdocs"
+
+server.port = 80
+
+server.username = "git"
+server.groupname = "git"
+
+server.modules = (
+    "mod_access",
+    "mod_alias",
+    "mod_compress",
+    "mod_redirect",
+    "mod_cgi",
+    "mod_auth",
+    "mod_setenv",
+)
+
+$SERVER["socket"] == ":443" {
+  ssl.engine = "enable"
+  ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
+{% if TROVE_SSL_CA_FILE is defined %}  ssl.ca-file = "/etc/lighttpd/certs/ca-certs.pem"
+{% endif %}
+}
+
+index-file.names = ("index.html")
+
+cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1",
+	"gitano-smart-http.cgi" => "/usr/bin/lua5.1",
+	"cgit.cgi" => ""
+)
+cgi.execute-x-only = "enable"
+
+mimetype.assign = (
+  ".html" => "text/html",
+  ".txt" => "text/plain",
+  ".jpg" => "image/jpeg",
+  ".png" => "image/png",
+  ".css" => "text/css"
+)
+
+$HTTP["url"] =~ "^/releases(/|$)" {
+        server.dir-listing = "enable"
+}
+
+$HTTP["url"] =~ ".*/gitano-command.cgi$" {
+        setenv.add-environment = (
+                "HOME" => "/home/git",
+                "GITANO_ROOT" => "/home/git/repos"
+        )
+}
+
+$HTTP["url"] =~ "^/git/.*$" {
+        alias.url += ( "/git" => "/var/www/htdocs/gitano-smart-http.cgi" )
+
+        cgi.assign = ("" => "")
+        setenv.add-environment = (
+                "GIT_HTTP_EXPORT_ALL" => "",
+                "GIT_PROJECT_ROOT" => "/home/git/repos",
+                "HOME" => "/home/git",
+                "GITANO_ROOT" => "/home/git/repos"
+        )
+}
+
+$HTTP["scheme"] == "https" {
+        include "git-auth.conf"
+
+        $HTTP["querystring"] =~ "service=git-receive-pack" {
+                include "git-auth.conf"
+        }
+
+        $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
+                include "git-auth.conf"
+        }
+}