- name: load task vars ansible.builtin.include_vars: ./variables.yaml - name: install git and cgit community.general.pkgng: name: - git - cgit jail: "{{ jail.name }}" - name: install nginx and fcgiwrap community.general.pkgng: name: - nginx - fcgiwrap jail: "{{ jail.name }}" - name: enable fcgiwrap community.general.sysrc: name: fcgiwrap_enable value: "YES" jail: "{{ jail.name }}" - name: set nginx permissions on fcgiwrap community.general.sysrc: name: fcgiwrap_socket_group value: "www" jail: "{{ jail.name }}" - name: start fcgiwrap jexec: cmd: service fcgiwrap restart jail: "{{ jail.name }}" - name: enable nginx community.general.sysrc: name: nginx_enable value: "YES" jail: "{{ jail.name }}" - name: create groups jexec: cmd: | getent group gitdev || pw groupadd gitdev getent group gitadm || pw groupadd gitadm jail: "{{ jail.name }}" - name: mount and set up git in zfs jexec: cmd: | [ $(zfs get -H -o value mountpoint {{ gitdataset }}) == "/git" ] && \ [ $(zfs get -H -o value mounted {{ gitdataset }}) == "yes" ] || \ zfs set mountpoint=/git {{ gitdataset }} jail: "{{ jail.name }}" - name: enable zfs compression on git data jexec: cmd: | zfs set compression=on {{ gitdataset }} jail: "{{ jail.name }}" - name: create folders and set permissions jexec: cmd: | mkdir -p /git/repos chown root:gitdev /git/repos chmod g+rws /git/repos mkdir -p /git/sshkeys jail: "{{ jail.name }}" - name: enable sshd community.general.sysrc: name: sshd_enable value: "YES" jail: "{{ jail.name }}" - name: create git shell command dir ansible.builtin.file: path: "{{ jailroot }}/git/repos/git-shell-commands" state: directory - name: setup gubbshell ansible.builtin.copy: src: ./gubbshell/ dest: "{{ jailroot }}/git/repos/git-shell-commands/" mode: "g=rx" - name: install nano community.general.pkgng: name: - nano jail: "{{ jail.name }}" - name: set correct permissions for gubbshell scripts jexec: cmd: chgrp gitadm /git/repos/git-shell-commands/create-repo /git/repos/git-shell-commands/delete-repo /git/repos/git-shell-commands/edit-repo jail: "{{ jail.name }}" - name: disable motd jexec: cmd: touch /git/repos/.hushlogin jail: "{{ jail.name }}" - name: create users jexec: cmd: | pw useradd {{ item.key }} -g gitdev -s /usr/local/libexec/git-core/git-shell -d /git/repos {% if item.value.admin %} pw usermod {{ item.key }} -G gitadm {% endif %} jail: "{{ jail.name }}" loop: "{{ users | dict2items }}" loop_control: label: "{{ item.key }}" - name: upload pubkeys ansible.builtin.copy: content: "{{ item.value.ssh_keys | join('\n') }}" dest: "{{ jailroot }}/git/sshkeys/{{ item.key }}" owner: "{{ item.key }}" mode: 0400 when: item.value.ssh_keys is defined loop: "{{ users | dict2items }}" loop_control: label: "{{ item.key }}" - name: configure sshd ansible.builtin.lineinfile: path: "{{ jailroot }}/etc/ssh/sshd_config" regex: "^(#)?{{item.key}}" line: "{{item.key}} {{item.value}}" state: present loop: - { key: "PermitRootLogin", value: "no" } - { key: "PasswordAuthentication", value: "no" } - { key: "ChallengeResponseAuthentication", value: "no" } - { key: "UsePAM", value: "no" } - { key: "AuthorizedKeysFile", value: "/git/sshkeys/%u" } register: sshd_conf - name: configure nginx for cgit ansible.builtin.template: src: cgit.nginx.conf.j2 dest: "{{ jailroot }}/usr/local/etc/nginx/nginx.conf" register: nginx_conf - name: cgit conf ansible.builtin.template: src: cgitrc.j2 dest: "{{ jailroot }}/usr/local/etc/cgitrc" register: cgit_conf - name: restart nginx when: nginx_conf.changed jexec: cmd: service nginx restart jail: "{{ jail.name }}" - name: restart sshd when: sshd_conf.changed jexec: cmd: service sshd restart jail: "{{ jail.name }}"