manifests/nginx.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# @summary Manages nginx resources for cgit
# @api private
class cgit::nginx {

  if ($cgit::certname == undef) {
    nginx::resource::server { 'cgit':
      server_name          => [ $cgit::server_name, ],
      access_log           => 'absent',
      error_log            => 'absent',
      index_files          => [],
      try_files            => [ '$uri', '@cgit' ],
      ssl                  => false,
      use_default_location => true,
      www_root             => $cgit::root,
    }
  } else {
    nginx::resource::server { 'cgit':
      server_name          => [ $cgit::server_name, ],
      access_log           => 'absent',
      error_log            => 'absent',
      index_files          => [],
      try_files            => [ '$uri', '@cgit' ],
      ssl                  => true,
      ssl_cert             => "/etc/letsencrypt/live/${cgit::certname}/fullchain.pem",
      ssl_key              => "/etc/letsencrypt/live/${cgit::certname}/privkey.pem",
      use_default_location => true,
      www_root             => $cgit::root,
      ssl_redirect         => true,
    }
  }

  nginx::resource::location { '@cgit':
    fastcgi_params => 'fastcgi_params',
    fastcgi_param  => {
      'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi',
      'PATH_INFO'       => '$fastcgi_script_name',
      'QUERY_STRING'    => '$args',
    },
    ssl_only       => $cgit::certname != undef,
    fastcgi        => 'unix:/run/fcgiwrap.socket',
    server         => [
      'cgit',
    ],
  }

  file { $cgit::htpasswd:
    ensure  => file,
    content => $cgit::users.map |$user| {
      [$user['name'], $user['pass']].join(':')
    }.join("\n")
  }

  # TODO each repo name should be regex-escaped
  $re = $cgit::public_repos.join('|')

  nginx::resource::location { "~ ^(/(${re})\\.git/.*)" :
      server         => 'cgit',
      ssl_only       => $cgit::certname != undef,
      priority       => 450,
      fastcgi        => 'unix:/run/fcgiwrap.socket',
      fastcgi_params => 'fastcgi_params',
      fastcgi_param  => {
        'SCRIPT_FILENAME'     => '/usr/lib/git-core/git-http-backend',
        'GIT_PROJECT_ROOT'    => $cgit::scan_path,
        'GIT_HTTP_EXPORT_ALL' => '""',
        'PATH_INFO'           => '$1',
      }
  }


  nginx::resource::location { '~ (.*\.git/.*)':
    server              => 'cgit',
    ssl_only            => $cgit::certname != undef,
    location_cfg_append => {
      auth_basic           => '"CGit login"',
      auth_basic_user_file => $cgit::htpasswd,
    },
    fastcgi             => 'unix:/run/fcgiwrap.socket',
    fastcgi_params      => 'fastcgi_params',
    fastcgi_param       => {
      'SCRIPT_FILENAME'     => '/usr/lib/git-core/git-http-backend',
      'GIT_PROJECT_ROOT'    => $cgit::scan_path,
      'GIT_HTTP_EXPORT_ALL' => '""',
      'PATH_INFO'           => '$1',
    }
  }

}