opendev/system-config
Code Issues Proposed changes

Split out cgit module

Browse Source 
Depends-On: Ibae9f2aa1d40d4b7afe0882c684251b5fc8a7135
Change-Id: I0c6ae1cf29924f1380288790fa53373d3767072d
This commit is contained in:
Jonathan Harker 2015-01-28 12:24:05 -05:00 committed by Joshua Hesketh
parent 1fc55d4dc9
commit 1dcb21a849
8 changed files with 1 additions and 1454 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules.env
View File

@ -61,6 +61,7 @@ INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-ansible"]=
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-asterisk"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-asterisk"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-bup"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-bup"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-bugdaystats"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-bugdaystats"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-cgit"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-elasticsearch"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-elasticsearch"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-etherpad_lite"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-etherpad_lite"]="origin/master"
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-elastic_recheck"]="origin/master" INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-elastic_recheck"]="origin/master"

14
modules/cgit/files/git.xinetd
View File

@ -1,14 +0,0 @@
# default: off
# description: The git dæmon allows git repositories to be exported using \
# the git:// protocol.
service git
{
disable = yes
socket_type = stream
wait = no
user = nobody
server = /usr/libexec/git-core/git-daemon
server_args = --base-path=/var/lib/git --export-all --syslog --inetd --verbose /var/lib/git
log_on_failure += USERID
}

175
modules/cgit/manifests/init.pp
View File

@ -1,175 +0,0 @@
# Copyright 2013 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Class: cgit
#
class cgit(
$vhost_name = $::fqdn,
$serveradmin = "webmaster@${::fqdn}",
$serveraliases = '',
$cgitdir = '/var/www/cgit',
$staticfiles = '/var/www/cgit/static',
$ssl_cert_file = '',
$ssl_key_file = '',
$ssl_chain_file = '',
$ssl_cert_file_contents = '', # If left empty puppet will not create file.
$ssl_key_file_contents = '', # If left empty puppet will not create file.
$ssl_chain_file_contents = '', # If left empty puppet will not create file.
$behind_proxy = false,
) {
if $behind_proxy == true {
$http_port = 8080
$https_port = 4443
$daemon_port = 29418
}
else {
$http_port = 80
$https_port = 443
$daemon_port = 9418
}
include apache
if ($::osfamily == 'RedHat') {
include cgit::selinux
}
package { [
'cgit',
'git-daemon',
'highlight',
]:
ensure => present,
}
user { 'cgit':
ensure => present,
home => '/home/cgit',
shell => '/bin/bash',
gid => 'cgit',
managehome => true,
require => Group['cgit'],
}
group { 'cgit':
ensure => present,
}
file {'/home/cgit':
ensure => directory,
owner => 'cgit',
group => 'cgit',
mode => '0755',
require => User['cgit'],
}
file { '/var/lib/git':
ensure => directory,
owner => 'cgit',
group => 'cgit',
mode => '0644',
require => User['cgit'],
}
apache::vhost { $vhost_name:
port => $https_port,
serveraliases => $serveraliases,
docroot => 'MEANINGLESS ARGUMENT',
priority => '50',
template => 'cgit/git.vhost.erb',
ssl => true,
require => [
File[$staticfiles],
Package['cgit'],
],
}
file { '/etc/httpd/conf/httpd.conf':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cgit/httpd.conf.erb'),
require => Package['httpd'],
}
file { '/etc/httpd/conf.d/ssl.conf':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cgit/ssl.conf.erb'),
require => Package[$::apache::params::ssl_package],
}
file { $cgitdir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { $staticfiles:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
require => File[$cgitdir],
}
file { '/etc/init.d/git-daemon':
ensure => present,
owner => 'root',
group => 'root',
mode => '0755',
content => template('cgit/git-daemon.init.erb'),
}
service { 'git-daemon':
ensure => running,
enable => true,
subscribe => File['/etc/init.d/git-daemon'],
}
if $ssl_cert_file_contents != '' {
file { $ssl_cert_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_cert_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_key_file_contents != '' {
file { $ssl_key_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_key_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
if $ssl_chain_file_contents != '' {
file { $ssl_chain_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_chain_file_contents,
before => Apache::Vhost[$vhost_name],
}
}
}

55
modules/cgit/manifests/selinux.pp
View File

@ -1,55 +0,0 @@
# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Class: cgit::selinux
#
class cgit::selinux {
exec { 'restorecon -R -v /var/lib/git':
path => '/sbin',
require => File['/var/lib/git'],
subscribe => File['/var/lib/git'],
refreshonly => true,
}
selboolean { 'httpd_enable_cgi':
persistent => true,
value => on
}
package { 'policycoreutils-python':
ensure => present,
}
exec { 'cgit_allow_http_port':
# If we cannot add the rule modify the existing rule.
onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${::cgit::http_port}\'",
command => "semanage port -m -t http_port_t -p tcp ${::cgit::http_port}",
path => '/bin:/usr/sbin',
before => Service['httpd'],
require => Package['policycoreutils-python'],
subscribe => File['/etc/httpd/conf/httpd.conf'],
refreshonly => true,
}
exec { 'cgit_allow_https_port':
# If we cannot add the rule modify the existing rule.
onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${::cgit::https_port}\'",
command => "semanage port -m -t http_port_t -p tcp ${::cgit::https_port}",
path => '/bin:/usr/sbin',
require => Package['policycoreutils-python'],
subscribe => File['/etc/httpd/conf.d/ssl.conf'],
refreshonly => true,
}
}

63
modules/cgit/templates/git-daemon.init.erb
View File

@ -1,63 +0,0 @@
#!/bin/sh
#
# Startup/shutdown script for the git daemon
# chkconfig: 345 56 10
#
# description: Startup/shutdown script for the git daemon
#
. /etc/init.d/functions
NAME=git-daemon
USER=nobody
DAEMON=/usr/libexec/git-core/git-daemon
GIT_REPO=/var/lib/git
PORT=<%= scope.lookupvar("cgit::daemon_port") %>
ARGS="--base-path=/var/lib/git --user=$USER --export-all --syslog --detach --verbose --port=$PORT $GIT_REPO"
start () {
echo -n $"Starting $NAME: "
# start daemon
daemon $DAEMON $ARGS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/git-daemon
return $RETVAL
}
stop () {
# stop daemon
echo -n $"Stopping $NAME: "
killproc $DAEMON
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/git-daemon
}
restart() {
stop
start
}
case $1 in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
status $DAEMON
RETVAL=$?
;;
*)
echo $"Usage: $NAME {start|stop|restart|status}"
exit 3
;;
esac
exit $RETVAL

70
modules/cgit/templates/git.vhost.erb
View File

@ -1,70 +0,0 @@
<VirtualHost *:<%= scope.lookupvar("cgit::http_port") %>>
ServerName <%= scope.lookupvar("cgit::vhost_name") %>
ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != '' -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
Alias /static <%= scope.lookupvar("cgit::staticfiles") %>
RewriteEngine On
RewriteRule ^/$ /cgit [R]
SetEnv GIT_PROJECT_ROOT /var/lib/git/
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GIT_NOTES_DISPLAY_REF refs/notes/*
AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/lib/git/$1
AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/lib/git/$1
ScriptAlias / /usr/libexec/git-core/git-http-backend/
ErrorLog /var/log/httpd/git-error.log
LogLevel warn
CustomLog /var/log/httpd/git-access.log combined
</VirtualHost>
<VirtualHost *:<%= scope.lookupvar("cgit::https_port") %>>
ServerName <%= scope.lookupvar("cgit::vhost_name") %>
ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != '' -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
Alias /static <%= scope.lookupvar("cgit::staticfiles") %>
RewriteEngine On
RewriteRule ^/$ /cgit [R]
SetEnv GIT_PROJECT_ROOT /var/lib/git/
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GIT_NOTES_DISPLAY_REF refs/notes/*
AliasMatch ^/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/lib/git/$1
AliasMatch ^/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/lib/git/$1
ScriptAlias / /usr/libexec/git-core/git-http-backend/
ErrorLog /var/log/httpd/git-error.log
LogLevel warn
CustomLog /var/log/httpd/git-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile <%= scope.lookupvar("cgit::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("cgit::ssl_key_file") %>
<% if scope.lookupvar("cgit::ssl_chain_file") != "" %>
SSLCertificateChainFile <%= scope.lookupvar("cgit::ssl_chain_file") %>
<% end %>
</VirtualHost>

1009
modules/cgit/templates/httpd.conf.erb
View File

File diff suppressed because it is too large Load Diff

68
modules/cgit/templates/ssl.conf.erb
View File

@ -1,68 +0,0 @@
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen <%= scope.lookupvar("cgit::https_port") %>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex default
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec