diff options
| author | Albert Cervin <albert@acervin.com> | 2023-03-19 17:18:01 +0100 |
|---|---|---|
| committer | Albert Cervin <albert@acervin.com> | 2023-03-19 17:18:01 +0100 |
| commit | c6f2fd36e0a8188e1f6b2a15b292e3d0a5610ac4 (patch) | |
| tree | d1c21cf0d9a2529154b33438bd91821268be5eb4 /jails/gubbhub/tasks.yaml | |
| download | datagubbe-setup-c6f2fd36e0a8188e1f6b2a15b292e3d0a5610ac4.tar.gz datagubbe-setup-c6f2fd36e0a8188e1f6b2a15b292e3d0a5610ac4.tar.xz datagubbe-setup-c6f2fd36e0a8188e1f6b2a15b292e3d0a5610ac4.zip | |
Diffstat (limited to 'jails/gubbhub/tasks.yaml')
| -rw-r--r-- | jails/gubbhub/tasks.yaml | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/jails/gubbhub/tasks.yaml b/jails/gubbhub/tasks.yaml new file mode 100644 index 0000000..4f8c2f2 --- /dev/null +++ b/jails/gubbhub/tasks.yaml @@ -0,0 +1,163 @@ +- name: load task vars + ansible.builtin.include_vars: ./variables.yaml + +- name: install git and cgit + community.general.pkgng: + name: + - git + - cgit + jail: "{{ jail.name }}" + +- name: install nginx and fcgiwrap + community.general.pkgng: + name: + - nginx + - fcgiwrap + jail: "{{ jail.name }}" + +- name: enable fcgiwrap + community.general.sysrc: + name: fcgiwrap_enable + value: "YES" + jail: "{{ jail.name }}" + +- name: set nginx permissions on fcgiwrap + community.general.sysrc: + name: fcgiwrap_socket_group + value: "www" + jail: "{{ jail.name }}" + +- name: start fcgiwrap + jexec: + cmd: service fcgiwrap restart + jail: "{{ jail.name }}" + +- name: enable nginx + community.general.sysrc: + name: nginx_enable + value: "YES" + jail: "{{ jail.name }}" + +- name: create groups + jexec: + cmd: | + getent group gitdev || pw groupadd gitdev + getent group gitadm || pw groupadd gitadm + jail: "{{ jail.name }}" + +- name: mount and set up git in zfs + jexec: + cmd: | + [ $(zfs get -H -o value mountpoint {{ gitdataset }}) == "/git" ] && \ + [ $(zfs get -H -o value mounted {{ gitdataset }}) == "yes" ] || \ + zfs set mountpoint=/git {{ gitdataset }} + jail: "{{ jail.name }}" + +- name: enable zfs compression on git data + jexec: + cmd: | + zfs set compression=on {{ gitdataset }} + jail: "{{ jail.name }}" + +- name: create folders and set permissions + jexec: + cmd: | + mkdir -p /git/repos + chown root:gitdev /git/repos + chmod g+rws /git/repos + mkdir -p /git/sshkeys + jail: "{{ jail.name }}" + +- name: enable sshd + community.general.sysrc: + name: sshd_enable + value: "YES" + jail: "{{ jail.name }}" + +- name: create git shell command dir + ansible.builtin.file: + path: "{{ jailroot }}/git/repos/git-shell-commands" + state: directory + +- name: setup gubbshell + ansible.builtin.copy: + src: ./gubbshell/ + dest: "{{ jailroot }}/git/repos/git-shell-commands/" + mode: "g=rx" + +- name: install nano + community.general.pkgng: + name: + - nano + jail: "{{ jail.name }}" + +- name: set correct permissions for gubbshell scripts + jexec: + cmd: chgrp gitadm /git/repos/git-shell-commands/create-repo /git/repos/git-shell-commands/delete-repo /git/repos/git-shell-commands/edit-repo + jail: "{{ jail.name }}" + +- name: disable motd + jexec: + cmd: touch /git/repos/.hushlogin + jail: "{{ jail.name }}" + +- name: create users + jexec: + cmd: | + pw useradd {{ item.key }} -g gitdev -s /usr/local/libexec/git-core/git-shell -d /git/repos + {% if item.value.admin %} + pw usermod {{ item.key }} -G gitadm + {% endif %} + jail: "{{ jail.name }}" + loop: "{{ users | dict2items }}" + loop_control: + label: "{{ item.key }}" + +- name: upload pubkeys + ansible.builtin.copy: + content: "{{ item.value.ssh_keys | join('\n') }}" + dest: "{{ jailroot }}/git/sshkeys/{{ item.key }}" + owner: "{{ item.key }}" + mode: 0400 + when: item.value.ssh_keys is defined + loop: "{{ users | dict2items }}" + loop_control: + label: "{{ item.key }}" + +- name: configure sshd + ansible.builtin.lineinfile: + path: "{{ jailroot }}/etc/ssh/sshd_config" + regex: "^(#)?{{item.key}}" + line: "{{item.key}} {{item.value}}" + state: present + loop: + - { key: "PermitRootLogin", value: "no" } + - { key: "PasswordAuthentication", value: "no" } + - { key: "ChallengeResponseAuthentication", value: "no" } + - { key: "UsePAM", value: "no" } + - { key: "AuthorizedKeysFile", value: "/git/sshkeys/%u" } + register: sshd_conf + +- name: configure nginx for cgit + ansible.builtin.template: + src: cgit.nginx.conf.j2 + dest: "{{ jailroot }}/usr/local/etc/nginx/nginx.conf" + register: nginx_conf + +- name: cgit conf + ansible.builtin.template: + src: cgitrc.j2 + dest: "{{ jailroot }}/usr/local/etc/cgitrc" + register: cgit_conf + +- name: restart nginx + when: nginx_conf.changed + jexec: + cmd: service nginx restart + jail: "{{ jail.name }}" + +- name: restart sshd + when: sshd_conf.changed + jexec: + cmd: service sshd restart + jail: "{{ jail.name }}" |