From: Tom Hughes <tom@compton.nu>
Date: Thu, 21 Jun 2018 21:43:58 +0000 (+0100)
Subject: Enable https access to private git repositories
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/760d6ef7a14a6bcd89804c10aa9b20775f1af3fc?ds=sidebyside

Enable https access to private git repositories
---

diff --git a/cookbooks/chef/recipes/server.rb b/cookbooks/chef/recipes/server.rb
index 12c43840a..9581b1a56 100644
--- a/cookbooks/chef/recipes/server.rb
+++ b/cookbooks/chef/recipes/server.rb
@@ -84,6 +84,10 @@ service "chef-server" do
   subscribes :restart, "systemd_service[chef-server]"
 end
 
+git_allowed = search(:node, node[:git][:allowed_nodes]).collect do |n|
+  n.ipaddresses(:role => :external)
+end.flatten
+
 apache_module "alias"
 apache_module "proxy_http"
 
@@ -95,6 +99,7 @@ end
 
 apache_site "chef.openstreetmap.org" do
   template "apache.erb"
+  variables :git_allowed => git_allowed
 end
 
 template "/etc/cron.daily/chef-server-backup" do
diff --git a/cookbooks/chef/templates/default/apache.erb b/cookbooks/chef/templates/default/apache.erb
index 88684b82c..4f57bba7d 100644
--- a/cookbooks/chef/templates/default/apache.erb
+++ b/cookbooks/chef/templates/default/apache.erb
@@ -19,11 +19,18 @@
 	CustomLog /var/log/apache2/chef.openstreetmap.org-access.log combined
 	ErrorLog /var/log/apache2/chef.openstreetmap.org-error.log
 
+	DocumentRoot /var/lib/git
+
 	SSLEngine on
 	SSLProxyEngine on
 	SSLCertificateFile /etc/ssl/certs/chef.openstreetmap.org.pem
 	SSLCertificateKeyFile /etc/ssl/private/chef.openstreetmap.org.key
 
+	ProxyPassMatch ^/.*\.git/ !
 	ProxyPass / https://<%= node[:fqdn] %>:4443/
 	ProxyPreserveHost on
 </VirtualHost>
+
+<Directory /var/lib/git>
+	Require ip <%= @git_allowed.sort.join(" ") %>
+</Directory>