From e2250e8bfe649d3372f7782719f1869b61d2077b Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Mon, 9 Nov 2015 16:47:46 +0000 Subject: lighttpd: Add support for installing SSL certs Change-Id: I33c74dc19e5835c65740f483aae89a1e8e415f0c --- ansible/roles/trove-setup/tasks/lighttpd.yml | 24 ++++++- .../trove-setup/templates/lighttpd/git-httpd.conf | 74 ++++++++++++++++++++++ etc/lighttpd/git-httpd.conf | 71 --------------------- 3 files changed, 96 insertions(+), 73 deletions(-) create mode 100644 ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf delete mode 100644 etc/lighttpd/git-httpd.conf diff --git a/ansible/roles/trove-setup/tasks/lighttpd.yml b/ansible/roles/trove-setup/tasks/lighttpd.yml index d757b5d..d460c51 100644 --- a/ansible/roles/trove-setup/tasks/lighttpd.yml +++ b/ansible/roles/trove-setup/tasks/lighttpd.yml @@ -7,12 +7,32 @@ -keyout /etc/lighttpd/certs/lighttpd.pem \ -out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes creates=/etc/lighttpd/certs/lighttpd.pem + when: TROVE_SSL_PEMFILE is not defined + +- name: Copy pemfile certificate for lighttpd if provided + copy: + src: "{{ TROVE_SSL_PEMFILE }}" + dest: /etc/lighttpd/certs/lighttpd.pem + mode: 0400 + when: TROVE_SSL_PEMFILE is defined + +- name: Copy ca-certs certificate for lighttpd if provided + copy: + src: "{{ TROVE_SSL_CA_FILE }}" + dest: /etc/lighttpd/certs/ca-certs.pem + mode: 0400 + when: TROVE_SSL_CA_FILE is defined - name: Create /var/run/lighttpd for cache user file: path=/var/run/lighttpd state=directory owner=cache group=cache -# Now that the lighttpd certificates and the /var/run/lighttpd exist, we can -# enable the lighttpd-git service +- name: Create git-httpd.conf from template + template: + src: lighttpd/git-httpd.conf + dest: /etc/lighttpd/git-httpd.conf + +# Now that the lighttpd certificates, configuration files and /var/run/lighttpd +# exist, we can enable the lighttpd-git service - name: Enable lighttpd-git service service: name=lighttpd-git.service enabled=yes register: lighttpd_git_service diff --git a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf new file mode 100644 index 0000000..8b4a22e --- /dev/null +++ b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf @@ -0,0 +1,74 @@ +server.document-root = "/var/www/htdocs" + +server.port = 80 + +server.username = "git" +server.groupname = "git" + +server.modules = ( + "mod_access", + "mod_alias", + "mod_compress", + "mod_redirect", + "mod_cgi", + "mod_auth", + "mod_setenv", +) + +$SERVER["socket"] == ":443" { + ssl.engine = "enable" + ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" +{% if TROVE_SSL_CA_FILE is defined %} ssl.ca-file = "/etc/lighttpd/certs/ca-certs.pem" +{% endif %} +} + +index-file.names = ("index.html") + +cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1", + "gitano-smart-http.cgi" => "/usr/bin/lua5.1", + "cgit.cgi" => "" +) +cgi.execute-x-only = "enable" + +mimetype.assign = ( + ".html" => "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png", + ".css" => "text/css" +) + +$HTTP["url"] =~ "^/releases(/|$)" { + server.dir-listing = "enable" +} + +$HTTP["url"] =~ ".*/gitano-command.cgi$" { + setenv.add-environment = ( + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["url"] =~ "^/git/.*$" { + alias.url += ( "/git" => "/var/www/htdocs/gitano-smart-http.cgi" ) + + cgi.assign = ("" => "") + setenv.add-environment = ( + "GIT_HTTP_EXPORT_ALL" => "", + "GIT_PROJECT_ROOT" => "/home/git/repos", + "HOME" => "/home/git", + "GITANO_ROOT" => "/home/git/repos" + ) +} + +$HTTP["scheme"] == "https" { + include "git-auth.conf" + + $HTTP["querystring"] =~ "service=git-receive-pack" { + include "git-auth.conf" + } + + $HTTP["url"] =~ "^/git/.*/git-receive-pack$" { + include "git-auth.conf" + } +} diff --git a/etc/lighttpd/git-httpd.conf b/etc/lighttpd/git-httpd.conf deleted file mode 100644 index dea86de..0000000 --- a/etc/lighttpd/git-httpd.conf +++ /dev/null @@ -1,71 +0,0 @@ -server.document-root = "/var/www/htdocs" - -server.port = 80 - -server.username = "git" -server.groupname = "git" - -server.modules = ( - "mod_access", - "mod_alias", - "mod_compress", - "mod_redirect", - "mod_cgi", - "mod_auth", - "mod_setenv", -) - -$SERVER["socket"] == ":443" { - ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem" -} - -index-file.names = ("index.html") - -cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1", - "gitano-smart-http.cgi" => "/usr/bin/lua5.1", - "cgit.cgi" => "" -) -cgi.execute-x-only = "enable" - -mimetype.assign = ( - ".html" => "text/html", - ".txt" => "text/plain", - ".jpg" => "image/jpeg", - ".png" => "image/png", - ".css" => "text/css" -) - -$HTTP["url"] =~ "^/releases(/|$)" { - server.dir-listing = "enable" -} - -$HTTP["url"] =~ ".*/gitano-command.cgi$" { - setenv.add-environment = ( - "HOME" => "/home/git", - "GITANO_ROOT" => "/home/git/repos" - ) -} - -$HTTP["url"] =~ "^/git/.*$" { - alias.url += ( "/git" => "/var/www/htdocs/gitano-smart-http.cgi" ) - - cgi.assign = ("" => "") - setenv.add-environment = ( - "GIT_HTTP_EXPORT_ALL" => "", - "GIT_PROJECT_ROOT" => "/home/git/repos", - "HOME" => "/home/git", - "GITANO_ROOT" => "/home/git/repos" - ) -} - -$HTTP["scheme"] == "https" { - include "git-auth.conf" - - $HTTP["querystring"] =~ "service=git-receive-pack" { - include "git-auth.conf" - } - - $HTTP["url"] =~ "^/git/.*/git-receive-pack$" { - include "git-auth.conf" - } -} -- cgit v1.2.1