diff options
| -rw-r--r-- | Makefile | 9 | ||||
| -rwxr-xr-x | bins/trove-early-setup | 12 | ||||
| -rw-r--r-- | etc/gitano-setup.clod | 2 | ||||
| -rw-r--r-- | etc/lighttpd/git-auth.conf | 10 | ||||
| -rw-r--r-- | etc/lighttpd/git-httpd.conf | 67 | ||||
| -rw-r--r-- | etc/lighttpd/morph-cache-httpd.conf (renamed from etc/lighttpd.conf) | 15 | ||||
| -rw-r--r-- | gitano-admin/rules/defines.lace | 4 | ||||
| -rw-r--r-- | gitano-admin/rules/other-project.lace | 2 | ||||
| -rw-r--r-- | gitano-admin/rules/selfchecks.lace | 2 | ||||
| -rw-r--r-- | units/lighttpd-git.service (renamed from units/lighttpd.service) | 2 | ||||
| -rw-r--r-- | units/lighttpd-morph-cache.service | 7 |
11 files changed, 115 insertions, 17 deletions
@@ -6,8 +6,7 @@ install: for I in $$(cd units; ls); do \ ln -sf ../$$I "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/$$I"; \ done - mkdir -p "${DESTDIR}/etc" - cp etc/* "${DESTDIR}/etc" + cp -r etc "${DESTDIR}" mkdir -p "${DESTDIR}/var/www/htdocs" cp http-assets/* "${DESTDIR}/var/www/htdocs" ln -s cgit "${DESTDIR}/var/www/htdocs/cgi-bin" @@ -18,3 +17,9 @@ install: cp bins/* "${DESTDIR}/usr/bin/" mkdir -p "${DESTDIR}/usr/share/trove-setup" cp -r share/* "${DESTDIR}/usr/share/trove-setup/" + + ln -s /usr/lib/gitano/bin/gitano-command.cgi \ + "${DESTDIR}/var/www/htdocs/gitano-command.cgi" + + ln -s /usr/lib/gitano/bin/gitano-smart-http.cgi \ + "${DESTDIR}/var/www/htdocs/gitano-smart-http.cgi" diff --git a/bins/trove-early-setup b/bins/trove-early-setup index 6d7f9ef..eea068d 100755 --- a/bins/trove-early-setup +++ b/bins/trove-early-setup @@ -18,7 +18,7 @@ # -*- Make -*- -all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured +all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured cert-generated USERS := git lorry cache mason @@ -134,3 +134,13 @@ mason-configured: /home/git/.mason-setup .PHONY: nfs-configured nfs-configured: /etc/exports + +/home/git/.cert-generated: + mkdir -p /etc/lighttpd/certs + echo -ne '\n\n\n\n\n\n\n' | openssl req -new -x509 \ + -keyout /etc/lighttpd/certs/lighttpd.pem \ + -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes + touch $@ + +.PHONY: cert-generated +cert-generated: /home/git/.cert-generated diff --git a/etc/gitano-setup.clod b/etc/gitano-setup.clod index 96377c2..b63aeb6 100644 --- a/etc/gitano-setup.clod +++ b/etc/gitano-setup.clod @@ -13,4 +13,6 @@ admin.keyname "trove" site.name "##TROVE_TITLE## for ##TROVE_COMPANY##" log.prefix "##TROVE_LOG_PREFIX##" +use.htpasswd "yes" + setup.batch = true diff --git a/etc/lighttpd/git-auth.conf b/etc/lighttpd/git-auth.conf new file mode 100644 index 0000000..9b7a010 --- /dev/null +++ b/etc/lighttpd/git-auth.conf @@ -0,0 +1,10 @@ +auth.require = ( + "/" => ( + "method" => "basic", + "realm" => "Git Access", + "require" => "valid-user" + ) +) + +auth.backend = "htpasswd" +auth.backend.htpasswd.userfile = "/home/git/htpasswd" diff --git a/etc/lighttpd/git-httpd.conf b/etc/lighttpd/git-httpd.conf new file mode 100644 index 0000000..94e9c26 --- /dev/null +++ b/etc/lighttpd/git-httpd.conf @@ -0,0 +1,67 @@ +server.document-root = "/var/www/htdocs" + +server.port = 80 + +server.username = "git" +server.groupname = "git" + +server.modules = ( + "mod_access", + "mod_alias", + "mod_compress", + "mod_redirect", + "mod_cgi", + "mod_auth", + "mod_setenv", +) + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" +} + +index-file.names = ("index.html") + +cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1", + "gitano-smart-http.cgi" => "/usr/bin/lua5.1", + "cgit.cgi" => "" +) +cgi.execute-x-only = "enable" + +mimetype.assign = ( + ".html" => "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png", + ".css" => "text/css" +) + +$HTTP["url"] =~ ".*/gitano-command.cgi$" { + setenv.add-environment = ( + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["url"] =~ "^/git/.*$" { + alias.url += ( "/git" => "/var/www/htdocs/gitano-smart-http.cgi" ) + + cgi.assign = ("" => "") + setenv.add-environment = ( + "GIT_HTTP_EXPORT_ALL" => "", + "GIT_PROJECT_ROOT" => "/home/git/repos", + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["scheme"] == "https" { + include "git-auth.conf" + + $HTTP["querystring"] =~ "service=git-receive-pack" { + include "git-auth.conf" + } + + $HTTP["url"] =~ "^/git/.*/git-receive-pack$" { + include "git-auth.conf" + } +} diff --git a/etc/lighttpd.conf b/etc/lighttpd/morph-cache-httpd.conf index a69407f..65b9b22 100644 --- a/etc/lighttpd.conf +++ b/etc/lighttpd/morph-cache-httpd.conf @@ -1,16 +1,12 @@ server.document-root = "/var/www/htdocs" -server.port = 80 +server.port = 8080 -server.username = "git" -server.groupname = "git" +server.username = "cache" +server.groupname = "cache" server.modules += ("mod_cgi", "mod_fastcgi") -index-file.names = ("index.html") - -cgi.assign = ("cgit.cgi" => "") - mimetype.assign = ( ".html" => "text/html", ".txt" => "text/plain", @@ -19,7 +15,6 @@ mimetype.assign = ( ".css" => "text/css" ) - $SERVER["socket"] == ":8080" { server.username = "cache" server.groupname = "cache" @@ -37,11 +32,9 @@ $SERVER["socket"] == ":8080" { ) } - $SERVER["socket"] == ":8081" { server.username = "cache" - server.groupname = "cache" - fastcgi.server = ( + server.groupname = "cache" fastcgi.server = ( "" => ( "python-fcgi" => diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index ab49034..380948a 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -13,13 +13,15 @@ # User/group related define is_admin group gitano-admin define is_owner owner ${user} +define is_anonymous user gitano/anonymous define if_asanother as_user ~. # Self-related operations define op_whoami operation whoami define op_sshkey operation sshkey -define op_self anyof op_whoami op_sshkey +define op_passwd operation passwd +define op_self anyof op_whoami op_sshkey op_passwd # Admin-related operations diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace index a42c06a..7bc80cc 100644 --- a/gitano-admin/rules/other-project.lace +++ b/gitano-admin/rules/other-project.lace @@ -12,7 +12,7 @@ # There are two classes of accessors here. Lorry and Others allow "Anyone may read here" op_read -allow "Anyone may write here" op_write +allow "Anyone may write here" op_write !is_anonymous # Lorry can do anything reffy which is not inside the local refs allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace index 44e96bd..83ef778 100644 --- a/gitano-admin/rules/selfchecks.lace +++ b/gitano-admin/rules/selfchecks.lace @@ -11,3 +11,5 @@ allow "You may ask who you are" op_whoami allow "You may manage your own ssh keys" op_sshkey + +allow "You may change your own password" op_passwd diff --git a/units/lighttpd.service b/units/lighttpd-git.service index 589a595..b2f6315 100644 --- a/units/lighttpd.service +++ b/units/lighttpd-git.service @@ -3,5 +3,5 @@ Description=Lighttpd Web Server After=network.target [Service] -ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd.conf -D +ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/git-httpd.conf -D Restart=always diff --git a/units/lighttpd-morph-cache.service b/units/lighttpd-morph-cache.service new file mode 100644 index 0000000..cedd071 --- /dev/null +++ b/units/lighttpd-morph-cache.service @@ -0,0 +1,7 @@ +[Unit] +Description=Lighttpd Web Server +After=network.target + +[Service] +ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/morph-cache-httpd.conf -D +Restart=always |