From dc583b1054d1cde492f0d33095a3dea2c8a2ac14 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Wed, 29 Jan 2014 17:44:29 +0000 Subject: Make trove-early-setup generate certificate --- bins/trove-early-setup | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/bins/trove-early-setup b/bins/trove-early-setup index 6d7f9ef..eea068d 100755 --- a/bins/trove-early-setup +++ b/bins/trove-early-setup @@ -18,7 +18,7 @@ # -*- Make -*- -all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured +all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured cert-generated USERS := git lorry cache mason @@ -134,3 +134,13 @@ mason-configured: /home/git/.mason-setup .PHONY: nfs-configured nfs-configured: /etc/exports + +/home/git/.cert-generated: + mkdir -p /etc/lighttpd/certs + echo -ne '\n\n\n\n\n\n\n' | openssl req -new -x509 \ + -keyout /etc/lighttpd/certs/lighttpd.pem \ + -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes + touch $@ + +.PHONY: cert-generated +cert-generated: /home/git/.cert-generated -- cgit v1.2.1 From 1cbec8113c62286bcd3190a9a3448723f23994ac Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Tue, 4 Feb 2014 11:43:18 +0000 Subject: Recursively copy etc to DESTDIR --- Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 34996f6..242ab57 100644 --- a/Makefile +++ b/Makefile @@ -6,8 +6,7 @@ install: for I in $$(cd units; ls); do \ ln -sf ../$$I "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/$$I"; \ done - mkdir -p "${DESTDIR}/etc" - cp etc/* "${DESTDIR}/etc" + cp -r etc "${DESTDIR}" mkdir -p "${DESTDIR}/var/www/htdocs" cp http-assets/* "${DESTDIR}/var/www/htdocs" ln -s cgit "${DESTDIR}/var/www/htdocs/cgi-bin" -- cgit v1.2.1 From a9a7ea2a7ecba39ff663ce79d377e4d5abdb1687 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Thu, 30 Jan 2014 11:37:42 +0000 Subject: Install symbolic links to gitano cgis into htdocs --- Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Makefile b/Makefile index 242ab57..453c01e 100644 --- a/Makefile +++ b/Makefile @@ -17,3 +17,9 @@ install: cp bins/* "${DESTDIR}/usr/bin/" mkdir -p "${DESTDIR}/usr/share/trove-setup" cp -r share/* "${DESTDIR}/usr/share/trove-setup/" + + ln -s /usr/lib/gitano/bin/gitano-command.cgi \ + "${DESTDIR}/var/www/htdocs/gitano-command.cgi" + + ln -s /usr/lib/gitano/bin/gitano-smart-http.cgi \ + "${DESTDIR}/var/www/htdocs/gitano-smart-http.cgi" -- cgit v1.2.1 From 246e2405b8d76c46b8a49de6fd1311c936e6b852 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Thu, 30 Jan 2014 11:23:40 +0000 Subject: Reconfigure lighttpd We now run two separate httpds, one for morph-cache-server and one for git-httpd. We do this because we want to run morph-cache-server as the cache user and git-httpd as the git user --- etc/lighttpd.conf | 56 ------------------------------- etc/lighttpd/git-auth.conf | 10 ++++++ etc/lighttpd/git-httpd.conf | 67 +++++++++++++++++++++++++++++++++++++ etc/lighttpd/morph-cache-httpd.conf | 49 +++++++++++++++++++++++++++ 4 files changed, 126 insertions(+), 56 deletions(-) delete mode 100644 etc/lighttpd.conf create mode 100644 etc/lighttpd/git-auth.conf create mode 100644 etc/lighttpd/git-httpd.conf create mode 100644 etc/lighttpd/morph-cache-httpd.conf diff --git a/etc/lighttpd.conf b/etc/lighttpd.conf deleted file mode 100644 index a69407f..0000000 --- a/etc/lighttpd.conf +++ /dev/null @@ -1,56 +0,0 @@ -server.document-root = "/var/www/htdocs" - -server.port = 80 - -server.username = "git" -server.groupname = "git" - -server.modules += ("mod_cgi", "mod_fastcgi") - -index-file.names = ("index.html") - -cgi.assign = ("cgit.cgi" => "") - -mimetype.assign = ( - ".html" => "text/html", - ".txt" => "text/plain", - ".jpg" => "image/jpeg", - ".png" => "image/png", - ".css" => "text/css" -) - - -$SERVER["socket"] == ":8080" { - server.username = "cache" - server.groupname = "cache" - fastcgi.server = ( - "" => - ( - "python-fcgi" => - ( - "socket" => "/var/run/lighttpd/morph-cache-server.socket", - "bin-path" => "/usr/bin/morph-cache-server --config=/etc/morph-cache-server.conf", - "check-local" => "disable", - "max-procs" => 4, - ) - ) - ) -} - - -$SERVER["socket"] == ":8081" { - server.username = "cache" - server.groupname = "cache" - fastcgi.server = ( - "" => - ( - "python-fcgi" => - ( - "socket" => "/var/run/lighttpd/morph-cache-server-write.socket", - "bin-path" => "/usr/bin/morph-cache-server --config=/etc/morph-cache-server-write.conf", - "check-local" => "disable", - "max-procs" => 1, - ) - ) - ) -} diff --git a/etc/lighttpd/git-auth.conf b/etc/lighttpd/git-auth.conf new file mode 100644 index 0000000..9b7a010 --- /dev/null +++ b/etc/lighttpd/git-auth.conf @@ -0,0 +1,10 @@ +auth.require = ( + "/" => ( + "method" => "basic", + "realm" => "Git Access", + "require" => "valid-user" + ) +) + +auth.backend = "htpasswd" +auth.backend.htpasswd.userfile = "/home/git/htpasswd" diff --git a/etc/lighttpd/git-httpd.conf b/etc/lighttpd/git-httpd.conf new file mode 100644 index 0000000..94e9c26 --- /dev/null +++ b/etc/lighttpd/git-httpd.conf @@ -0,0 +1,67 @@ +server.document-root = "/var/www/htdocs" + +server.port = 80 + +server.username = "git" +server.groupname = "git" + +server.modules = ( + "mod_access", + "mod_alias", + "mod_compress", + "mod_redirect", + "mod_cgi", + "mod_auth", + "mod_setenv", +) + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" +} + +index-file.names = ("index.html") + +cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1", + "gitano-smart-http.cgi" => "/usr/bin/lua5.1", + "cgit.cgi" => "" +) +cgi.execute-x-only = "enable" + +mimetype.assign = ( + ".html" => "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png", + ".css" => "text/css" +) + +$HTTP["url"] =~ ".*/gitano-command.cgi$" { + setenv.add-environment = ( + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["url"] =~ "^/git/.*$" { + alias.url += ( "/git" => "/var/www/htdocs/gitano-smart-http.cgi" ) + + cgi.assign = ("" => "") + setenv.add-environment = ( + "GIT_HTTP_EXPORT_ALL" => "", + "GIT_PROJECT_ROOT" => "/home/git/repos", + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["scheme"] == "https" { + include "git-auth.conf" + + $HTTP["querystring"] =~ "service=git-receive-pack" { + include "git-auth.conf" + } + + $HTTP["url"] =~ "^/git/.*/git-receive-pack$" { + include "git-auth.conf" + } +} diff --git a/etc/lighttpd/morph-cache-httpd.conf b/etc/lighttpd/morph-cache-httpd.conf new file mode 100644 index 0000000..65b9b22 --- /dev/null +++ b/etc/lighttpd/morph-cache-httpd.conf @@ -0,0 +1,49 @@ +server.document-root = "/var/www/htdocs" + +server.port = 8080 + +server.username = "cache" +server.groupname = "cache" + +server.modules += ("mod_cgi", "mod_fastcgi") + +mimetype.assign = ( + ".html" => "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png", + ".css" => "text/css" +) + +$SERVER["socket"] == ":8080" { + server.username = "cache" + server.groupname = "cache" + fastcgi.server = ( + "" => + ( + "python-fcgi" => + ( + "socket" => "/var/run/lighttpd/morph-cache-server.socket", + "bin-path" => "/usr/bin/morph-cache-server --config=/etc/morph-cache-server.conf", + "check-local" => "disable", + "max-procs" => 4, + ) + ) + ) +} + +$SERVER["socket"] == ":8081" { + server.username = "cache" + server.groupname = "cache" fastcgi.server = ( + "" => + ( + "python-fcgi" => + ( + "socket" => "/var/run/lighttpd/morph-cache-server-write.socket", + "bin-path" => "/usr/bin/morph-cache-server --config=/etc/morph-cache-server-write.conf", + "check-local" => "disable", + "max-procs" => 1, + ) + ) + ) +} -- cgit v1.2.1 From 3b0161527e6c90b48422f6e873a606534d769e9f Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Tue, 4 Feb 2014 15:53:51 +0000 Subject: Reconfigure lighttpd systemd units --- units/lighttpd-git.service | 7 +++++++ units/lighttpd-morph-cache.service | 7 +++++++ units/lighttpd.service | 7 ------- 3 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 units/lighttpd-git.service create mode 100644 units/lighttpd-morph-cache.service delete mode 100644 units/lighttpd.service diff --git a/units/lighttpd-git.service b/units/lighttpd-git.service new file mode 100644 index 0000000..b2f6315 --- /dev/null +++ b/units/lighttpd-git.service @@ -0,0 +1,7 @@ +[Unit] +Description=Lighttpd Web Server +After=network.target + +[Service] +ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/git-httpd.conf -D +Restart=always diff --git a/units/lighttpd-morph-cache.service b/units/lighttpd-morph-cache.service new file mode 100644 index 0000000..cedd071 --- /dev/null +++ b/units/lighttpd-morph-cache.service @@ -0,0 +1,7 @@ +[Unit] +Description=Lighttpd Web Server +After=network.target + +[Service] +ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/morph-cache-httpd.conf -D +Restart=always diff --git a/units/lighttpd.service b/units/lighttpd.service deleted file mode 100644 index 589a595..0000000 --- a/units/lighttpd.service +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Lighttpd Web Server -After=network.target - -[Service] -ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd.conf -D -Restart=always -- cgit v1.2.1 From 736fda0beb6502f20923939e1c1df91e68b6919a Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Thu, 6 Feb 2014 17:40:38 +0000 Subject: Update ruleset Allow users to change their own password --- gitano-admin/rules/defines.lace | 3 ++- gitano-admin/rules/selfchecks.lace | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index ab49034..edc832f 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -19,7 +19,8 @@ define if_asanother as_user ~. # Self-related operations define op_whoami operation whoami define op_sshkey operation sshkey -define op_self anyof op_whoami op_sshkey +define op_passwd operation passwd +define op_self anyof op_whoami op_sshkey op_passwd # Admin-related operations diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace index 44e96bd..83ef778 100644 --- a/gitano-admin/rules/selfchecks.lace +++ b/gitano-admin/rules/selfchecks.lace @@ -11,3 +11,5 @@ allow "You may ask who you are" op_whoami allow "You may manage your own ssh keys" op_sshkey + +allow "You may change your own password" op_passwd -- cgit v1.2.1 From cbe4f92eac8fabb0112eeeaa2077c3f40a93c645 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Tue, 11 Feb 2014 12:44:26 +0000 Subject: Use htpasswd by default --- etc/gitano-setup.clod | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/gitano-setup.clod b/etc/gitano-setup.clod index 96377c2..b63aeb6 100644 --- a/etc/gitano-setup.clod +++ b/etc/gitano-setup.clod @@ -13,4 +13,6 @@ admin.keyname "trove" site.name "##TROVE_TITLE## for ##TROVE_COMPANY##" log.prefix "##TROVE_LOG_PREFIX##" +use.htpasswd "yes" + setup.batch = true -- cgit v1.2.1 From 3cae76a89764172af36aab2fe3dd51896085fdc7 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Wed, 12 Feb 2014 11:55:45 +0000 Subject: Add is_anonymous predicate to ruleset --- gitano-admin/rules/defines.lace | 1 + 1 file changed, 1 insertion(+) diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index edc832f..380948a 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -13,6 +13,7 @@ # User/group related define is_admin group gitano-admin define is_owner owner ${user} +define is_anonymous user gitano/anonymous define if_asanother as_user ~. -- cgit v1.2.1 From 1fce00cc9c87b86055f116547d14fc94cc7842ea Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Wed, 12 Feb 2014 11:56:06 +0000 Subject: Anonymous user cannot write --- gitano-admin/rules/other-project.lace | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace index a42c06a..7bc80cc 100644 --- a/gitano-admin/rules/other-project.lace +++ b/gitano-admin/rules/other-project.lace @@ -12,7 +12,7 @@ # There are two classes of accessors here. Lorry and Others allow "Anyone may read here" op_read -allow "Anyone may write here" op_write +allow "Anyone may write here" op_write !is_anonymous # Lorry can do anything reffy which is not inside the local refs allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref -- cgit v1.2.1