From 645b1c45e4253466b5b901a049d2388e0375e7b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Thu, 30 Dec 2021 00:20:37 +0100 Subject: Move cgit setup to module. --- manifests/init.pp | 20 +++++++++++++ manifests/nginx.pp | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 manifests/nginx.pp diff --git a/manifests/init.pp b/manifests/init.pp index f7897bf..e788703 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,11 +13,19 @@ class cgit ( Array[Struct[{ name => String, pass => String }]] $users = [], + Variant[Boolean, Enum['nginx']] $manage_server = false, + Optional[String] $server_name = undef, + Optional[String] $certname = undef, ) { + notify { 'certname': + message => "Certname is [$certname]", + } + # TODO figure out where CSS comes from ensure_packages([ + 'git', 'cgit', ], { ensure => installed }) @@ -70,4 +78,16 @@ class cgit ( mode => '0444', } + if $manage_server { + if $server_name == undef { + fail('server_name must be set if manage_server is set') + } + } + + case $manage_server { + false: {} + 'nginx': { + include ::cgit::nginx + } + } } diff --git a/manifests/nginx.pp b/manifests/nginx.pp new file mode 100644 index 0000000..f2a1396 --- /dev/null +++ b/manifests/nginx.pp @@ -0,0 +1,85 @@ +class cgit::nginx { + + if ($cgit::certname == undef) { + nginx::resource::server { 'cgit': + server_name => [ $cgit::server_name, ], + access_log => 'absent', + error_log => 'absent', + index_files => [], + try_files => [ '$uri', '@cgit' ], + ssl => false, + use_default_location => true, + www_root => $cgit_root, + } + } else { + nginx::resource::server { 'cgit': + server_name => [ $cgit::server_name, ], + access_log => 'absent', + error_log => 'absent', + index_files => [], + try_files => [ '$uri', '@cgit' ], + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${cgit::certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${cgit::certname}/privkey.pem", + use_default_location => true, + www_root => $cgit_root, + ssl_redirect => true, + } + } + + nginx::resource::location { '@cgit': + fastcgi_params => 'fastcgi_params', + fastcgi_param => { + 'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi', + 'PATH_INFO' => '$fastcgi_script_name', + 'QUERY_STRING' => '$args', + }, + ssl_only => $cgit::certname != undef, + fastcgi => 'unix:/run/fcgiwrap.socket', + server => [ + 'cgit', + ], + } + + $cgit_htpasswd = '/var/lib/nginx/cgit-htpasswd' + file { $cgit_htpasswd: + ensure => file, + content => $cgit::users.map |$user| { + [$user['name'], $user['pass']].join(':') + }.join("\n") + } + + nginx::resource::location { + $cgit::public_repos.map |$repo| { "~ ^(/${repo}\\.git/.*)" }: + server => 'cgit', + ssl_only => $cgit::certname != undef, + priority => 450, + fastcgi => 'unix:/run/fcgiwrap.socket', + fastcgi_params => 'fastcgi_params', + fastcgi_param => { + 'SCRIPT_FILENAME' => '/usr/lib/git-core/git-http-backend', + 'GIT_PROJECT_ROOT' => $cgit::scan_path, + 'GIT_HTTP_EXPORT_ALL' => '""', + 'PATH_INFO' => '$1', + } + } + + + nginx::resource::location { '~ (.*\.git/.*)': + server => 'cgit', + ssl_only => $cgit::certname != undef, + location_cfg_append => { + auth_basic => '"CGit login"', + auth_basic_user_file => $cgit_htpasswd, + }, + fastcgi => 'unix:/run/fcgiwrap.socket', + fastcgi_params => 'fastcgi_params', + fastcgi_param => { + 'SCRIPT_FILENAME' => '/usr/lib/git-core/git-http-backend', + 'GIT_PROJECT_ROOT' => $cgit::scan_path, + 'GIT_HTTP_EXPORT_ALL' => '""', + 'PATH_INFO' => '$1', + } + } + +} -- cgit v1.2.3