From 4479ee5c32b8d5c7dc6cef37b4bbaed9402ed4fb Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 23 Jun 2018 14:39:27 +0100 Subject: [PATCH 1/1] Move git and dns from shenron to sarel --- cookbooks/chef/recipes/repository.rb | 68 +++++++++---------- cookbooks/chef/recipes/server.rb | 5 -- cookbooks/chef/templates/default/apache.erb | 9 --- .../chef/templates/default/post-receive.erb | 2 +- .../default/repository-backup.cron.erb | 14 ---- .../dns/templates/default/dns-update.erb | 2 +- cookbooks/git/attributes/default.rb | 6 +- cookbooks/git/metadata.rb | 3 +- cookbooks/git/recipes/server.rb | 60 ++++------------ cookbooks/git/recipes/web.rb | 33 ++++++--- cookbooks/git/templates/default/apache.erb | 23 ++++--- .../git/templates/default/backup.cron.erb | 2 +- .../git/templates/default/gitweb.conf.erb | 4 +- .../git/templates/default/post-receive.erb | 14 ---- cookbooks/git/templates/default/xinetd.erb | 13 ---- roles/chef-repository.rb | 3 +- roles/dns.rb | 2 +- roles/git.rb | 7 +- roles/sarel.rb | 10 +-- roles/shenron.rb | 11 --- 20 files changed, 107 insertions(+), 184 deletions(-) delete mode 100644 cookbooks/chef/templates/default/repository-backup.cron.erb delete mode 100644 cookbooks/git/templates/default/post-receive.erb delete mode 100644 cookbooks/git/templates/default/xinetd.erb diff --git a/cookbooks/chef/recipes/repository.rb b/cookbooks/chef/recipes/repository.rb index 02dc09365..a358e78e2 100644 --- a/cookbooks/chef/recipes/repository.rb +++ b/cookbooks/chef/recipes/repository.rb @@ -27,44 +27,42 @@ directory "/var/lib/chef" do mode 0o2775 end -git "/var/lib/chef" do - action :checkout - repository node[:chef][:repository] - revision "master" - user "chefrepo" - group "chefrepo" -end +%w[public private].each do |repository| + repository_directory = node[:chef][:"#{repository}_repository"] -directory "/var/lib/chef/.chef" do - owner "chefrepo" - group "chefrepo" - mode 0o2775 -end + git "/var/lib/chef/#{repository}" do + action :checkout + repository repository_directory + revision "master" + user "chefrepo" + group "chefrepo" + end -file "/var/lib/chef/.chef/client.pem" do - content keys["git"].join("\n") - owner "chefrepo" - group "chefrepo" - mode 0o660 -end + directory "/var/lib/chef/#{repository}/.chef" do + owner "chefrepo" + group "chefrepo" + mode 0o2775 + end -cookbook_file "/var/lib/chef/.chef/knife.rb" do - source "knife.rb" - owner "chefrepo" - group "chefrepo" - mode 0o660 -end + file "/var/lib/chef/#{repository}/.chef/client.pem" do + content keys["git"].join("\n") + owner "chefrepo" + group "chefrepo" + mode 0o660 + end -template "#{node[:chef][:repository]}/hooks/post-receive" do - source "post-receive.erb" - owner "chefrepo" - group "chefrepo" - mode 0o750 -end + cookbook_file "/var/lib/chef/#{repository}/.chef/knife.rb" do + source "knife.rb" + owner "chefrepo" + group "chefrepo" + mode 0o660 + end -template "/etc/cron.daily/chef-repository-backup" do - source "repository-backup.cron.erb" - owner "root" - group "root" - mode 0o755 + template "#{repository_directory}/hooks/post-receive" do + source "post-receive.erb" + owner "chefrepo" + group "chefrepo" + mode 0o750 + variables :repository => repository + end end diff --git a/cookbooks/chef/recipes/server.rb b/cookbooks/chef/recipes/server.rb index 9581b1a56..12c43840a 100644 --- a/cookbooks/chef/recipes/server.rb +++ b/cookbooks/chef/recipes/server.rb @@ -84,10 +84,6 @@ service "chef-server" do subscribes :restart, "systemd_service[chef-server]" end -git_allowed = search(:node, node[:git][:allowed_nodes]).collect do |n| - n.ipaddresses(:role => :external) -end.flatten - apache_module "alias" apache_module "proxy_http" @@ -99,7 +95,6 @@ end apache_site "chef.openstreetmap.org" do template "apache.erb" - variables :git_allowed => git_allowed end template "/etc/cron.daily/chef-server-backup" do diff --git a/cookbooks/chef/templates/default/apache.erb b/cookbooks/chef/templates/default/apache.erb index 706ab5ead..9d86d910e 100644 --- a/cookbooks/chef/templates/default/apache.erb +++ b/cookbooks/chef/templates/default/apache.erb @@ -27,13 +27,4 @@ ProxyPassMatch ^/.*\.git/ ! ProxyPass / https://<%= node[:fqdn] %>:4443/ ProxyPreserveHost on - - SetEnv GIT_PROJECT_ROOT /var/lib/git - SetEnv GIT_HTTP_EXPORT_ALL - ScriptAlias / /usr/lib/git-core/git-http-backend/ - - - Options ExecCGI - Require ip <%= @git_allowed.sort.join(" ") %> - diff --git a/cookbooks/chef/templates/default/post-receive.erb b/cookbooks/chef/templates/default/post-receive.erb index 58646ff1a..b402265c1 100644 --- a/cookbooks/chef/templates/default/post-receive.erb +++ b/cookbooks/chef/templates/default/post-receive.erb @@ -9,7 +9,7 @@ while read oldrev newrev refname do if [[ "$refname" = "refs/heads/master" ]] then - cd /var/lib/chef + cd /var/lib/chef/<%= @repository %> rm -f cookbooks/*/metadata.json(N) diff --git a/cookbooks/chef/templates/default/repository-backup.cron.erb b/cookbooks/chef/templates/default/repository-backup.cron.erb deleted file mode 100644 index f82e7b227..000000000 --- a/cookbooks/chef/templates/default/repository-backup.cron.erb +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -T=$(mktemp -d -t -p /var/tmp chef-repository.XXXXXXXXXX) -D=$(date +%Y-%m-%d) -B=chef-repository-$D.tar.gz - -ln -s /var/lib/git/chef.git $T/chef-repository-$D - -export GZIP="--rsyncable -9" - -nice tar --create --gzip --dereference --directory=$T --file=$T/$B chef-repository-$D -nice rsync --preallocate --fuzzy $T/$B backup::backup - -rm -rf $T diff --git a/cookbooks/dns/templates/default/dns-update.erb b/cookbooks/dns/templates/default/dns-update.erb index 162e7875e..93d2e1ee3 100755 --- a/cookbooks/dns/templates/default/dns-update.erb +++ b/cookbooks/dns/templates/default/dns-update.erb @@ -14,7 +14,7 @@ cd /var/lib/dns if [ ! -d .git ] then - git clone /var/lib/git/dns.git /var/lib/dns + git clone /var/lib/git/public/dns.git /var/lib/dns fi git pull -q diff --git a/cookbooks/git/attributes/default.rb b/cookbooks/git/attributes/default.rb index ebb2bd736..2d89a83de 100644 --- a/cookbooks/git/attributes/default.rb +++ b/cookbooks/git/attributes/default.rb @@ -1,3 +1,5 @@ default[:git][:directory] = "/var/lib/git" -default[:git][:user] = "git" -default[:git][:group] = "git" +default[:git][:public_user] = "git" +default[:git][:public_group] = "git" +default[:git][:private_user] = "git" +default[:git][:private_group] = "git" diff --git a/cookbooks/git/metadata.rb b/cookbooks/git/metadata.rb index 704f32750..8cf7f9a48 100644 --- a/cookbooks/git/metadata.rb +++ b/cookbooks/git/metadata.rb @@ -6,6 +6,5 @@ description "Installs and configures git" long_description IO.read(File.join(File.dirname(__FILE__), "README.md")) version "1.0.0" supports "ubuntu" -depends "networking" -depends "xinetd" depends "apache" +depends "networking" diff --git a/cookbooks/git/recipes/server.rb b/cookbooks/git/recipes/server.rb index 1d308bf29..81b16952f 100644 --- a/cookbooks/git/recipes/server.rb +++ b/cookbooks/git/recipes/server.rb @@ -18,58 +18,34 @@ # include_recipe "networking" -include_recipe "xinetd" git_directory = node[:git][:directory] directory git_directory do - owner node[:git][:user] - group node[:git][:group] + owner "root" + group "root" + mode 0o775 +end + +directory "#{git_directory}/public" do + owner node[:git][:public_user] + group node[:git][:public_group] mode 0o2775 end -if node[:git][:allowed_nodes] - search(:node, node[:git][:allowed_nodes]).sort_by { |n| n[:fqdn] }.each do |n| - n.interfaces(:role => :external).each do |interface| - firewall_rule "accept-git" do - action :accept - family interface[:family] - source "#{interface[:zone]}:#{interface[:address]}" - dest "fw" - proto "tcp:syn" - dest_ports "git" - source_ports "1024:" - end - end - end -else - firewall_rule "accept-git" do - action :accept - source "net" - dest "fw" - proto "tcp:syn" - dest_ports "git" - source_ports "1024:" - end +directory "#{git_directory}/private" do + owner node[:git][:private_user] + group node[:git][:private_group] + mode 0o2775 end -Dir.new(git_directory).select { |name| name =~ /\.git$/ }.each do |repository| - template "#{git_directory}/#{repository}/hooks/post-update" do +Dir.glob("#{git_directory}/*/*.git").each do |repository| + template "#{repository}/hooks/post-update" do source "post-update.erb" owner "root" group node[:git][:group] mode 0o755 end - - next unless node[:recipes].include?("trac") && repository != "dns.git" && repository != "chef.git" - - template "#{git_directory}/#{repository}/hooks/post-receive" do - source "post-receive.erb" - owner "root" - group node[:git][:group] - mode 0o755 - variables :repository => "#{git_directory}/#{repository}" - end end template "/etc/cron.daily/git-backup" do @@ -78,11 +54,3 @@ template "/etc/cron.daily/git-backup" do group "root" mode 0o755 end - -template "/etc/xinetd.d/git" do - source "xinetd.erb" - owner "root" - group "root" - mode 0o644 - notifies :reload, "service[xinetd]" -end diff --git a/cookbooks/git/recipes/web.rb b/cookbooks/git/recipes/web.rb index 0d840bbbd..65333eff0 100644 --- a/cookbooks/git/recipes/web.rb +++ b/cookbooks/git/recipes/web.rb @@ -23,7 +23,7 @@ package "gitweb" apache_module "rewrite" -git_directory = node[:git][:directory] +git_site = node[:git][:host] template "/etc/gitweb.conf" do source "gitweb.conf.erb" @@ -32,20 +32,31 @@ template "/etc/gitweb.conf" do mode 0o644 end -ssl_certificate node[:git][:host] do - domains [node[:git][:host]] + Array(node[:git][:aliases]) - notifies :reload, "service[apache2]" -end - -apache_site node[:git][:host] do - template "apache.erb" - directory git_directory - variables :aliases => Array(node[:git][:aliases]) +directory "/srv/#{git_site}" do + owner "root" + group "root" + mode 0o755 end -template "#{git_directory}/robots.txt" do +template "/srv/#{git_site}/robots.txt" do source "robots.txt.erb" owner "root" group "root" mode 0o644 end + +ssl_certificate git_site do + domains [git_site] + Array(node[:git][:aliases]) + notifies :reload, "service[apache2]" +end + +private_allowed = search(:node, node[:git][:private_nodes]).collect do |n| + n.ipaddresses(:role => :external) +end.flatten + +apache_site git_site do + template "apache.erb" + directory "/srv/#{git_site}" + variables :aliases => Array(node[:git][:aliases]), + :private_allowed => private_allowed +end diff --git a/cookbooks/git/templates/default/apache.erb b/cookbooks/git/templates/default/apache.erb index c7f85c821..374ec2cf5 100644 --- a/cookbooks/git/templates/default/apache.erb +++ b/cookbooks/git/templates/default/apache.erb @@ -44,17 +44,24 @@ CustomLog /var/log/apache2/<%= @name %>-access.log combined ErrorLog /var/log/apache2/<%= @name %>-error.log - DocumentRoot <%= @directory %> - HeaderName HEADER + SetEnv GIT_PROJECT_ROOT /var/lib/git + SetEnv GIT_HTTP_EXPORT_ALL + + ScriptAlias /public /usr/lib/git-core/git-http-backend/public + ScriptAlias /private /usr/lib/git-core/git-http-backend/private Alias /gitweb /usr/share/gitweb Alias /git /var/cache/git - ScriptAlias /gitweb.cgi /usr/lib/cgi-bin/gitweb.cgi + ScriptAlias / /usr/lib/cgi-bin/gitweb.cgi/ + + + Require all granted + - RewriteEngine On - RewriteRule ^/$ /gitweb.cgi%{REQUEST_URI} [L,PT] - RewriteRule ^/(.*\.git/(?!/?(HEAD|info|objects|refs)).*)?$ /gitweb.cgi%{REQUEST_URI} [L,PT] + + Require ip <%= @private_allowed.sort.join(" ") %> + -> - Require all granted + + Options ExecCGI diff --git a/cookbooks/git/templates/default/backup.cron.erb b/cookbooks/git/templates/default/backup.cron.erb index ac2167b8c..5a9d01284 100644 --- a/cookbooks/git/templates/default/backup.cron.erb +++ b/cookbooks/git/templates/default/backup.cron.erb @@ -4,7 +4,7 @@ T=$(mktemp -d -t -p /var/tmp git.XXXXXXXXXX) D=$(date +%Y-%m-%d) -B=<%= node[:git][:backup] %>-$D.tar.gz +B=git-$D.tar.gz ln -s /var/lib/git $T/git-$D diff --git a/cookbooks/git/templates/default/gitweb.conf.erb b/cookbooks/git/templates/default/gitweb.conf.erb index b98c15ae5..5d2eb7469 100644 --- a/cookbooks/git/templates/default/gitweb.conf.erb +++ b/cookbooks/git/templates/default/gitweb.conf.erb @@ -1,7 +1,7 @@ # DO NOT EDIT - This file is being maintained by Chef # path to git projects (.git) -$projectroot = "<%= node[:git][:directory] %>"; +$projectroot = "<%= node[:git][:directory] %>/public"; # directory to use for temp files $git_temp = "/tmp"; @@ -31,4 +31,4 @@ our $javascript = "/gitweb/static/gitweb.js"; $feature{'pathinfo'}{'default'} = [1]; # define roots for cloning -@git_base_url_list = qw(git://<%= node[:git][:host] %>); +@git_base_url_list = qw(https://<%= node[:git][:host] %>/public); diff --git a/cookbooks/git/templates/default/post-receive.erb b/cookbooks/git/templates/default/post-receive.erb deleted file mode 100644 index 30ade2719..000000000 --- a/cookbooks/git/templates/default/post-receive.erb +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/zsh - -# DO NOT EDIT - This file is being maintained by Chef - -while read oldrev newrev refname -do - if [[ "$refname" = "refs/heads/master" ]] - then - for rev in $(git rev-list ${oldrev}..${newrev}) - do - sudo -u trac /usr/bin/trac-admin /var/lib/trac changeset added "<%= @repository %>" "${rev}" - done - fi -done diff --git a/cookbooks/git/templates/default/xinetd.erb b/cookbooks/git/templates/default/xinetd.erb deleted file mode 100644 index 403c7926b..000000000 --- a/cookbooks/git/templates/default/xinetd.erb +++ /dev/null @@ -1,13 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -service git -{ - disable = no - socket_type = stream - wait = no - user = nobody - server = /usr/lib/git-core/git-daemon - server_args = --base-path=<%= node[:git][:directory] %> --export-all --syslog --inetd --verbose - log_on_failure += USERID - flags = ipv6 -} diff --git a/roles/chef-repository.rb b/roles/chef-repository.rb index d551353d0..511291426 100644 --- a/roles/chef-repository.rb +++ b/roles/chef-repository.rb @@ -25,7 +25,8 @@ default_attributes( } }, :chef => { - :repository => "/var/lib/git/chef.git" + :public_repository => "/var/lib/git/public/chef.git", + :private_repository => "/var/lib/git/private/chef.git" } ) diff --git a/roles/dns.rb b/roles/dns.rb index 7a5e5a46a..25ac17f00 100644 --- a/roles/dns.rb +++ b/roles/dns.rb @@ -3,7 +3,7 @@ description "Role applied to DNS management servers" default_attributes( :dns => { - :repository => "/var/lib/git/dns.git" + :repository => "/var/lib/git/public/dns.git" } ) diff --git a/roles/git.rb b/roles/git.rb index 09b95cbf1..31ad54036 100644 --- a/roles/git.rb +++ b/roles/git.rb @@ -4,6 +4,10 @@ description "Role applied to all git servers" default_attributes( :accounts => { :users => { + :bretth => { + :status => :user, + :shell => "/usr/bin/git-shell" + }, :lonvia => { :status => :user, :shell => "/usr/bin/git-shell" @@ -20,8 +24,7 @@ default_attributes( }, :git => { :host => "git.openstreetmap.org", - :aliases => ["git.osm.org"], - :backup => "git" + :aliases => ["git.osm.org"] } ) diff --git a/roles/sarel.rb b/roles/sarel.rb index ab7c52a4f..b535374d7 100644 --- a/roles/sarel.rb +++ b/roles/sarel.rb @@ -3,10 +3,9 @@ description "Master role applied to sarel" default_attributes( :git => { - :allowed_nodes => "fqdn:*", - :user => "chefrepo", - :group => "chefrepo", - :backup => "chef-git" + :private_user => "chefrepo", + :private_group => "chefrepo", + :private_nodes => "fqdn:*" }, :networking => { :interfaces => { @@ -33,6 +32,7 @@ run_list( "role[chef-server]", "role[chef-repository]", "role[letsencrypt]", - "recipe[git::server]", + "role[git]", + "role[dns]", "recipe[serverinfo]" ) diff --git a/roles/shenron.rb b/roles/shenron.rb index 42d25d9d0..9009c0824 100644 --- a/roles/shenron.rb +++ b/roles/shenron.rb @@ -2,14 +2,6 @@ name "shenron" description "Master role applied to shenron" default_attributes( - :accounts => { - :users => { - :bretth => { - :status => :user, - :shell => "/usr/bin/git-shell" - } - } - }, :apache => { :mpm => "event", :event => { @@ -69,14 +61,11 @@ run_list( "role[bytemark]", "role[mail]", "role[lists]", - "role[git]", "role[subversion]", "role[trac]", "role[osqa]", "role[irc]", - "role[dns]", "role[geodns]", - "role[chef-repository]", "recipe[blogs]", "recipe[openvpn]" ) -- 2.43.2