1 files changed, 163 insertions, 0 deletions

diff --git a/jails/gubbhub/tasks.yaml b/jails/gubbhub/tasks.yaml
new file mode 100644
index 0000000..4f8c2f2
--- /dev/null
+++ b/jails/gubbhub/tasks.yaml
@@ -0,0 +1,163 @@
+- name: load task vars
+  ansible.builtin.include_vars: ./variables.yaml
+
+- name: install git and cgit
+  community.general.pkgng:
+    name:
+      - git
+      - cgit
+    jail: "{{ jail.name }}"
+
+- name: install nginx and fcgiwrap
+  community.general.pkgng:
+    name:
+      - nginx
+      - fcgiwrap
+    jail: "{{ jail.name }}"
+
+- name: enable fcgiwrap
+  community.general.sysrc:
+    name: fcgiwrap_enable
+    value: "YES"
+    jail: "{{ jail.name }}"
+
+- name: set nginx permissions on fcgiwrap
+  community.general.sysrc:
+    name: fcgiwrap_socket_group
+    value: "www"
+    jail: "{{ jail.name }}"
+
+- name: start fcgiwrap
+  jexec:
+    cmd: service fcgiwrap restart
+    jail: "{{ jail.name }}"
+
+- name: enable nginx
+  community.general.sysrc:
+    name: nginx_enable
+    value: "YES"
+    jail: "{{ jail.name }}"
+
+- name: create groups
+  jexec:
+    cmd: |
+      getent group gitdev || pw groupadd gitdev
+      getent group gitadm || pw groupadd gitadm
+    jail: "{{ jail.name }}"
+
+- name: mount and set up git in zfs
+  jexec:
+    cmd: |
+      [ $(zfs get -H -o value mountpoint {{ gitdataset }}) == "/git" ] && \
+      [ $(zfs get -H -o value mounted {{ gitdataset }}) == "yes" ] || \
+      zfs set mountpoint=/git {{ gitdataset }}
+    jail: "{{ jail.name }}"
+
+- name: enable zfs compression on git data
+  jexec:
+    cmd: |
+      zfs set compression=on {{ gitdataset }}
+    jail: "{{ jail.name }}"
+
+- name: create folders and set permissions
+  jexec:
+    cmd: |
+      mkdir -p /git/repos
+      chown root:gitdev /git/repos
+      chmod g+rws /git/repos
+      mkdir -p /git/sshkeys
+    jail: "{{ jail.name }}"
+
+- name: enable sshd
+  community.general.sysrc:
+    name: sshd_enable
+    value: "YES"
+    jail: "{{ jail.name }}"
+
+- name: create git shell command dir
+  ansible.builtin.file:
+    path: "{{ jailroot }}/git/repos/git-shell-commands"
+    state: directory
+
+- name: setup gubbshell
+  ansible.builtin.copy:
+    src: ./gubbshell/
+    dest: "{{ jailroot }}/git/repos/git-shell-commands/"
+    mode: "g=rx"
+
+- name: install nano
+  community.general.pkgng:
+    name:
+      - nano
+    jail: "{{ jail.name }}"
+
+- name: set correct permissions for gubbshell scripts
+  jexec:
+    cmd: chgrp gitadm /git/repos/git-shell-commands/create-repo /git/repos/git-shell-commands/delete-repo /git/repos/git-shell-commands/edit-repo
+    jail: "{{ jail.name }}"
+
+- name: disable motd
+  jexec:
+    cmd: touch /git/repos/.hushlogin
+    jail: "{{ jail.name }}"
+
+- name: create users
+  jexec:
+    cmd: |
+      pw useradd {{ item.key }} -g gitdev -s /usr/local/libexec/git-core/git-shell -d /git/repos
+      {% if item.value.admin %}
+        pw usermod {{ item.key }} -G gitadm
+      {% endif %}
+    jail: "{{ jail.name }}"
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: upload pubkeys
+  ansible.builtin.copy:
+    content: "{{ item.value.ssh_keys | join('\n') }}"
+    dest: "{{ jailroot }}/git/sshkeys/{{ item.key }}"
+    owner: "{{ item.key }}"
+    mode: 0400
+  when: item.value.ssh_keys is defined
+  loop: "{{ users | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: configure sshd
+  ansible.builtin.lineinfile:
+    path: "{{ jailroot }}/etc/ssh/sshd_config"
+    regex: "^(#)?{{item.key}}"
+    line: "{{item.key}} {{item.value}}"
+    state: present
+  loop:
+    - { key: "PermitRootLogin", value: "no" }
+    - { key: "PasswordAuthentication", value: "no" }
+    - { key: "ChallengeResponseAuthentication", value: "no" }
+    - { key: "UsePAM", value: "no" }
+    - { key: "AuthorizedKeysFile", value: "/git/sshkeys/%u" }
+  register: sshd_conf
+
+- name: configure nginx for cgit
+  ansible.builtin.template:
+    src: cgit.nginx.conf.j2
+    dest: "{{ jailroot }}/usr/local/etc/nginx/nginx.conf"
+  register: nginx_conf
+
+- name: cgit conf
+  ansible.builtin.template:
+    src: cgitrc.j2
+    dest: "{{ jailroot }}/usr/local/etc/cgitrc"
+  register: cgit_conf
+
+- name: restart nginx
+  when: nginx_conf.changed
+  jexec:
+    cmd: service nginx restart
+    jail: "{{ jail.name }}"
+
+- name: restart sshd
+  when: sshd_conf.changed
+  jexec:
+    cmd: service sshd restart
+    jail: "{{ jail.name }}"