summaryrefslogtreecommitdiff
path: root/jails/gubbhub/tasks.yaml
blob: 4f8c2f26ad051ab60346868718a24ade5a67c9d8 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

- name: load task vars
  ansible.builtin.include_vars: ./variables.yaml

- name: install git and cgit
  community.general.pkgng:
    name:
      - git
      - cgit
    jail: "{{ jail.name }}"

- name: install nginx and fcgiwrap
  community.general.pkgng:
    name:
      - nginx
      - fcgiwrap
    jail: "{{ jail.name }}"

- name: enable fcgiwrap
  community.general.sysrc:
    name: fcgiwrap_enable
    value: "YES"
    jail: "{{ jail.name }}"

- name: set nginx permissions on fcgiwrap
  community.general.sysrc:
    name: fcgiwrap_socket_group
    value: "www"
    jail: "{{ jail.name }}"

- name: start fcgiwrap
  jexec:
    cmd: service fcgiwrap restart
    jail: "{{ jail.name }}"

- name: enable nginx
  community.general.sysrc:
    name: nginx_enable
    value: "YES"
    jail: "{{ jail.name }}"

- name: create groups
  jexec:
    cmd: |
      getent group gitdev || pw groupadd gitdev
      getent group gitadm || pw groupadd gitadm
    jail: "{{ jail.name }}"

- name: mount and set up git in zfs
  jexec:
    cmd: |
      [ $(zfs get -H -o value mountpoint {{ gitdataset }}) == "/git" ] && \
      [ $(zfs get -H -o value mounted {{ gitdataset }}) == "yes" ] || \
      zfs set mountpoint=/git {{ gitdataset }}
    jail: "{{ jail.name }}"

- name: enable zfs compression on git data
  jexec:
    cmd: |
      zfs set compression=on {{ gitdataset }}
    jail: "{{ jail.name }}"

- name: create folders and set permissions
  jexec:
    cmd: |
      mkdir -p /git/repos
      chown root:gitdev /git/repos
      chmod g+rws /git/repos
      mkdir -p /git/sshkeys
    jail: "{{ jail.name }}"

- name: enable sshd
  community.general.sysrc:
    name: sshd_enable
    value: "YES"
    jail: "{{ jail.name }}"

- name: create git shell command dir
  ansible.builtin.file:
    path: "{{ jailroot }}/git/repos/git-shell-commands"
    state: directory

- name: setup gubbshell
  ansible.builtin.copy:
    src: ./gubbshell/
    dest: "{{ jailroot }}/git/repos/git-shell-commands/"
    mode: "g=rx"

- name: install nano
  community.general.pkgng:
    name:
      - nano
    jail: "{{ jail.name }}"

- name: set correct permissions for gubbshell scripts
  jexec:
    cmd: chgrp gitadm /git/repos/git-shell-commands/create-repo /git/repos/git-shell-commands/delete-repo /git/repos/git-shell-commands/edit-repo
    jail: "{{ jail.name }}"

- name: disable motd
  jexec:
    cmd: touch /git/repos/.hushlogin
    jail: "{{ jail.name }}"

- name: create users
  jexec:
    cmd: |
      pw useradd {{ item.key }} -g gitdev -s /usr/local/libexec/git-core/git-shell -d /git/repos
      {% if item.value.admin %}
        pw usermod {{ item.key }} -G gitadm
      {% endif %}
    jail: "{{ jail.name }}"
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"

- name: upload pubkeys
  ansible.builtin.copy:
    content: "{{ item.value.ssh_keys | join('\n') }}"
    dest: "{{ jailroot }}/git/sshkeys/{{ item.key }}"
    owner: "{{ item.key }}"
    mode: 0400
  when: item.value.ssh_keys is defined
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"

- name: configure sshd
  ansible.builtin.lineinfile:
    path: "{{ jailroot }}/etc/ssh/sshd_config"
    regex: "^(#)?{{item.key}}"
    line: "{{item.key}} {{item.value}}"
    state: present
  loop:
    - { key: "PermitRootLogin", value: "no" }
    - { key: "PasswordAuthentication", value: "no" }
    - { key: "ChallengeResponseAuthentication", value: "no" }
    - { key: "UsePAM", value: "no" }
    - { key: "AuthorizedKeysFile", value: "/git/sshkeys/%u" }
  register: sshd_conf

- name: configure nginx for cgit
  ansible.builtin.template:
    src: cgit.nginx.conf.j2
    dest: "{{ jailroot }}/usr/local/etc/nginx/nginx.conf"
  register: nginx_conf

- name: cgit conf
  ansible.builtin.template:
    src: cgitrc.j2
    dest: "{{ jailroot }}/usr/local/etc/cgitrc"
  register: cgit_conf

- name: restart nginx
  when: nginx_conf.changed
  jexec:
    cmd: service nginx restart
    jail: "{{ jail.name }}"

- name: restart sshd
  when: sshd_conf.changed
  jexec:
    cmd: service sshd restart
    jail: "{{ jail.name }}"
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 09:40:20 +0000