From e2efe48b245cf89e0a1f101233b5b05fa975c93b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Thu, 30 Dec 2021 00:20:37 +0100 Subject: Move cgit setup to module. --- manifests/site.pp | 89 +++++------------------------------------ modules/cgit/manifests/init.pp | 20 +++++++++ modules/cgit/manifests/nginx.pp | 85 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 114 insertions(+), 80 deletions(-) create mode 100644 modules/cgit/manifests/nginx.pp diff --git a/manifests/site.pp b/manifests/site.pp index 1fca9eb..34ed9a7 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -154,24 +154,27 @@ node 'hornquist.se' { ], } - $cgit_root = '/var/www/cgit' $blog_root = '/var/www/blog' + $certname = 'hornquist' class { '::cgit': - root => $cgit_root, + root => '/var/www/cgit', root_title => 'Hornquist Git Repositiories', root_desc => 'ᛏᚨᚾᛞᛖᛋ᛫ᛖᚾᛞᚨᛋᛏ᛫ᛗᛟᛏ᛫ᛚᚨᛞᚨᚾᛋ᛫ᛈᛚᚨᚾ', + about_filter => 'hugo-pre.sh', auth_filter => 'hugo-authentication.lua', source_filter => 'hugo-highlighting.sh', + scan_path => '/home/git/git', - enable_http_clone => false, + enable_http_clone => false, clone_url => [ - 'https://git.hornquist.se/$CGIT_REPO_URL', - 'https://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL', + 'https://git.hornquist.se/$CGIT_REPO_URL.git', 'git@hornquist.se:git/$CGIT_REPO_URL.git', - '(HTTP_only_for_public_repos)', ], + manage_server => 'nginx', + server_name => 'git.hornquist.se', + certname => $certname, } # https://buddy.works/blog/how-deploy-projects-with-git @@ -219,7 +222,6 @@ node 'hornquist.se' { }, } - $certname = 'hornquist' class { '::letsencrypt': config => { @@ -325,79 +327,6 @@ node 'hornquist.se' { www_root => '/var/www/wiki/public/html', } - nginx::resource::server { 'cgit': - server_name => [ - 'git.hornquist.se', - ], - access_log => 'absent', - error_log => 'absent', - index_files => [], - try_files => [ '$uri', '@cgit' ], - ssl => true, - ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", - ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", - use_default_location => true, - www_root => $cgit_root, - ssl_redirect => true, - # /usr/lib/cgit/cgit.cgi - # /usr/share/cgit/cgit.css - } - - nginx::resource::location { '@cgit': - fastcgi_params => 'fastcgi_params', - fastcgi_param => { - 'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi', - 'PATH_INFO' => '$fastcgi_script_name', - 'QUERY_STRING' => '$args', - }, - ssl_only => true, - fastcgi => 'unix:/run/fcgiwrap.socket', - server => [ - 'cgit', - ], - } - - $cgit_htpasswd = '/var/lib/nginx/cgit-htpasswd' - file { $cgit_htpasswd: - ensure => file, - content => $cgit::users.map |$user| { - [$user['name'], $user['pass']].join(':') - }.join("\n") - } - - nginx::resource::location { - $cgit::public_repos.map |$repo| { "~ ^(/${repo}\\.git/.*)" }: - server => 'cgit', - ssl_only => true, - priority => 450, - fastcgi => 'unix:/run/fcgiwrap.socket', - fastcgi_params => 'fastcgi_params', - fastcgi_param => { - 'SCRIPT_FILENAME' => '/usr/lib/git-core/git-http-backend', - 'GIT_PROJECT_ROOT' => '/home/git/git', - 'GIT_HTTP_EXPORT_ALL' => '""', - 'PATH_INFO' => '$1', - } - } - - - nginx::resource::location { '~ (.*\.git/.*)': - server => 'cgit', - ssl_only => true, - location_cfg_append => { - auth_basic => '"CGit login"', - auth_basic_user_file => $cgit_htpasswd, - }, - fastcgi => 'unix:/run/fcgiwrap.socket', - fastcgi_params => 'fastcgi_params', - fastcgi_param => { - 'SCRIPT_FILENAME' => '/usr/lib/git-core/git-http-backend', - 'GIT_PROJECT_ROOT' => '/home/git/git', - 'GIT_HTTP_EXPORT_ALL' => '""', - 'PATH_INFO' => '$1', - } - } - nginx::resource::location { '/': try_files => ['$uri', '$uri/', '=404'], index_files => [], diff --git a/modules/cgit/manifests/init.pp b/modules/cgit/manifests/init.pp index f7897bf..e788703 100644 --- a/modules/cgit/manifests/init.pp +++ b/modules/cgit/manifests/init.pp @@ -13,11 +13,19 @@ class cgit ( Array[Struct[{ name => String, pass => String }]] $users = [], + Variant[Boolean, Enum['nginx']] $manage_server = false, + Optional[String] $server_name = undef, + Optional[String] $certname = undef, ) { + notify { 'certname': + message => "Certname is [$certname]", + } + # TODO figure out where CSS comes from ensure_packages([ + 'git', 'cgit', ], { ensure => installed }) @@ -70,4 +78,16 @@ class cgit ( mode => '0444', } + if $manage_server { + if $server_name == undef { + fail('server_name must be set if manage_server is set') + } + } + + case $manage_server { + false: {} + 'nginx': { + include ::cgit::nginx + } + } } diff --git a/modules/cgit/manifests/nginx.pp b/modules/cgit/manifests/nginx.pp new file mode 100644 index 0000000..f2a1396 --- /dev/null +++ b/modules/cgit/manifests/nginx.pp @@ -0,0 +1,85 @@ +class cgit::nginx { + + if ($cgit::certname == undef) { + nginx::resource::server { 'cgit': + server_name => [ $cgit::server_name, ], + access_log => 'absent', + error_log => 'absent', + index_files => [], + try_files => [ '$uri', '@cgit' ], + ssl => false, + use_default_location => true, + www_root => $cgit_root, + } + } else { + nginx::resource::server { 'cgit': + server_name => [ $cgit::server_name, ], + access_log => 'absent', + error_log => 'absent', + index_files => [], + try_files => [ '$uri', '@cgit' ], + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${cgit::certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${cgit::certname}/privkey.pem", + use_default_location => true, + www_root => $cgit_root, + ssl_redirect => true, + } + } + + nginx::resource::location { '@cgit': + fastcgi_params => 'fastcgi_params', + fastcgi_param => { + 'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi', + 'PATH_INFO' => '$fastcgi_script_name', + 'QUERY_STRING' => '$args', + }, + ssl_only => $cgit::certname != undef, + fastcgi => 'unix:/run/fcgiwrap.socket', + server => [ + 'cgit', + ], + } + + $cgit_htpasswd = '/var/lib/nginx/cgit-htpasswd' + file { $cgit_htpasswd: + ensure => file, + content => $cgit::users.map |$user| { + [$user['name'], $user['pass']].join(':') + }.join("\n") + } + + nginx::resource::location { + $cgit::public_repos.map |$repo| { "~ ^(/${repo}\\.git/.*)" }: + server => 'cgit', + ssl_only => $cgit::certname != undef, + priority => 450, + fastcgi => 'unix:/run/fcgiwrap.socket', + fastcgi_params => 'fastcgi_params', + fastcgi_param => { + 'SCRIPT_FILENAME' => '/usr/lib/git-core/git-http-backend', + 'GIT_PROJECT_ROOT' => $cgit::scan_path, + 'GIT_HTTP_EXPORT_ALL' => '""', + 'PATH_INFO' => '$1', + } + } + + + nginx::resource::location { '~ (.*\.git/.*)': + server => 'cgit', + ssl_only => $cgit::certname != undef, + location_cfg_append => { + auth_basic => '"CGit login"', + auth_basic_user_file => $cgit_htpasswd, + }, + fastcgi => 'unix:/run/fcgiwrap.socket', + fastcgi_params => 'fastcgi_params', + fastcgi_param => { + 'SCRIPT_FILENAME' => '/usr/lib/git-core/git-http-backend', + 'GIT_PROJECT_ROOT' => $cgit::scan_path, + 'GIT_HTTP_EXPORT_ALL' => '""', + 'PATH_INFO' => '$1', + } + } + +} -- cgit v1.2.3