From 58de72e85a697f48fa3428e380954a0c91bba018 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Wed, 17 Mar 2021 21:29:47 +0000 Subject: [PATCH] git: Convert to CentOS 8 and Apache * Update git hosts to CentOS 8 * Drop nslscd and use sssd instead * Change nginx to apache for future GSSAPI support * Fix SELinux contexts from git data directory --- hosts | 2 +- playbooks/git.yml | 2 +- roles/git/server/files/git.conf | 64 +++++++++++---------------------- roles/git/server/meta/main.yml | 2 +- roles/git/server/tasks/main.yml | 13 ++++--- 5 files changed, 33 insertions(+), 50 deletions(-) diff --git a/hosts b/hosts index 7df402b..81a93d3 100644 --- a/hosts +++ b/hosts @@ -56,6 +56,7 @@ atl01.vultr.foo.sh [centos8:children] adm +git mail mirror nas @@ -64,7 +65,6 @@ static vmhost [centos7:children] -git ldap collab diff --git a/playbooks/git.yml b/playbooks/git.yml index 0332a49..99e9fa1 100644 --- a/playbooks/git.yml +++ b/playbooks/git.yml @@ -24,4 +24,4 @@ - base - git/client - git/server - - ldap/nss + - sssd diff --git a/roles/git/server/files/git.conf b/roles/git/server/files/git.conf index 44cd432..7ccb22f 100644 --- a/roles/git/server/files/git.conf +++ b/roles/git/server/files/git.conf @@ -1,46 +1,24 @@ -error_page 418 = @query_auth; +SetEnv GIT_PROJECT_ROOT /srv/git +SetEnv GIT_HTTP_EXPORT_ALL -# Git over HTTP -location ~ ^/.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ { - root /srv/git; -} -# Git operations that require authentication should go here -location @query_auth { - auth_basic "Authentication Required"; - auth_basic_user_file /etc/nginx/htpasswd; - rewrite ^(/.*)$ $1 break; - fastcgi_pass unix:/run/fcgiwrap/fcgiwrap-nginx.sock; - fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; - fastcgi_param PATH_INFO $uri; - fastcgi_param GIT_PROJECT_ROOT /srv/git; - fastcgi_param GIT_HTTP_EXPORT_ALL ""; - include fastcgi_params; - fastcgi_param REMOTE_USER $remote_user; -} -location ~ ^(.*\.git/git-receive-pack)$ { - return 418; -} -location ~ ^/(.*\.git/(HEAD|info/refs|objects/(info/[^/]+)|git-upload-pack))$ { - if ( $query_string = "service=git-receive-pack" ) { return 418; } - rewrite ^(/.*)$ $1 break; - fastcgi_pass unix:/run/fcgiwrap/fcgiwrap-nginx.sock; - fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; - fastcgi_param PATH_INFO $uri; - fastcgi_param GIT_PROJECT_ROOT /srv/git; - fastcgi_param GIT_HTTP_EXPORT_ALL ""; - include fastcgi_params; -} +Alias /static/ /var/www/git/static/ -# Gitweb -location /gitweb.cgi { - root /var/www/git/; - include fastcgi_params; - fastcgi_param SCRIPT_NAME $uri; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_pass unix:/run/fcgiwrap/fcgiwrap-nginx.sock; -} -location / { - root /var/www/git; - index gitweb.cgi; -} +#AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/git/$1 +#AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/git/$1 + + + Require all granted + +ScriptAliasMatch \ + "(?x)^/(.*/(HEAD | \ + info/refs | \ + objects/info/[^/]+ | \ + git-(upload|receive)-pack))$" \ + /usr/libexec/git-core/git-http-backend/$1 + +ScriptAlias /gitweb.cgi /var/www/git/gitweb.cgi + + SetEnv GITWEB_CONFIG /etc/gitweb.conf + DirectoryIndex gitweb.cgi + diff --git a/roles/git/server/meta/main.yml b/roles/git/server/meta/main.yml index 9a25c83..5366061 100644 --- a/roles/git/server/meta/main.yml +++ b/roles/git/server/meta/main.yml @@ -2,4 +2,4 @@ dependencies: - {role: git/client} - - {role: nginx/fcgi} + - {role: apache} diff --git a/roles/git/server/tasks/main.yml b/roles/git/server/tasks/main.yml index 2533d1d..0c43efc 100644 --- a/roles/git/server/tasks/main.yml +++ b/roles/git/server/tasks/main.yml @@ -9,6 +9,11 @@ - highlight - perl-Digest-MD5 +- name: fix selinux context from data directory + sefcontext: + path: /export/git(/.*)? + setype: git_sys_content_t + - name: create git directory file: path: /srv/git @@ -44,11 +49,11 @@ - logo.png - gitweb-local.css -- name: create nginx git config +- name: link apache git config copy: - dest: /etc/nginx/conf.d/{{ inventory_hostname }}/git.conf + dest: /etc/httpd/conf.local.d/git.conf src: git.conf mode: 0644 owner: root - group: root - notify: restart nginx + group: "{{ ansible_wheel }}" + notify: restart apache