From bc0d7897d1f4a88d5d60b9460a3fd52a3fc196bc Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 21 Apr 2017 16:34:57 +0300
Subject: Add web_server and git_server roles

Need git_server for the new QvarnLabs git server, and the git
server relies on the web server for cgit.
---
 roles/git_server/README                          |  3 ++
 roles/git_server/defaults/main.yml               |  9 +++++
 roles/git_server/files/git-daemon.service        | 11 ++++++
 roles/git_server/files/git-daemon.socket         |  9 +++++
 roles/git_server/tasks/cgit.yml                  | 50 ++++++++++++++++++++++++
 roles/git_server/tasks/git-daemon.yml            | 22 +++++++++++
 roles/git_server/tasks/gitano.yml                | 43 ++++++++++++++++++++
 roles/git_server/tasks/main.yml                  |  3 ++
 roles/git_server/templates/apache-cgit-host.j2   | 37 ++++++++++++++++++
 roles/git_server/templates/cgitrc.j2             | 49 +++++++++++++++++++++++
 roles/git_server/templates/gitano-setup.answers  | 11 ++++++
 roles/web_server/README                          |  4 ++
 roles/web_server/defaults/main.yml               | 17 ++++++++
 roles/web_server/handlers/main.yml               |  4 ++
 roles/web_server/tasks/main.yml                  | 38 ++++++++++++++++++
 roles/web_server/templates/virtualhost.conf.tmpl | 14 +++++++
 16 files changed, 324 insertions(+)
 create mode 100644 roles/git_server/README
 create mode 100644 roles/git_server/defaults/main.yml
 create mode 100644 roles/git_server/files/git-daemon.service
 create mode 100644 roles/git_server/files/git-daemon.socket
 create mode 100644 roles/git_server/tasks/cgit.yml
 create mode 100644 roles/git_server/tasks/git-daemon.yml
 create mode 100644 roles/git_server/tasks/gitano.yml
 create mode 100644 roles/git_server/tasks/main.yml
 create mode 100644 roles/git_server/templates/apache-cgit-host.j2
 create mode 100644 roles/git_server/templates/cgitrc.j2
 create mode 100644 roles/git_server/templates/gitano-setup.answers
 create mode 100644 roles/web_server/README
 create mode 100644 roles/web_server/defaults/main.yml
 create mode 100644 roles/web_server/handlers/main.yml
 create mode 100644 roles/web_server/tasks/main.yml
 create mode 100644 roles/web_server/templates/virtualhost.conf.tmpl

diff --git a/roles/git_server/README b/roles/git_server/README
new file mode 100644
index 0000000..209a088
--- /dev/null
+++ b/roles/git_server/README
@@ -0,0 +1,3 @@
+This role sets up a host as a git server. Git access is controlled by
+Gitano. Cgit (via Apache) provides web browsing of public
+repositories. The git protocol (read-only) is also supported.
diff --git a/roles/git_server/defaults/main.yml b/roles/git_server/defaults/main.yml
new file mode 100644
index 0000000..cefb0c5
--- /dev/null
+++ b/roles/git_server/defaults/main.yml
@@ -0,0 +1,9 @@
+gitano_bypass_pub: /path/to/your/gitano/bypass/ssh/public/key
+gitano_admin_pub: /path/to/your/gitano/admin/public/key
+gitano_site_name: my.git.server
+gitano_log_prefix: gitano
+cgit_hosts:
+  - add
+  - your
+  - hosts
+  - here
diff --git a/roles/git_server/files/git-daemon.service b/roles/git_server/files/git-daemon.service
new file mode 100644
index 0000000..0b95597
--- /dev/null
+++ b/roles/git_server/files/git-daemon.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Git Daemon
+Documentation=man:git-daemon(1)
+
+[Service]
+User=nobody
+Group=nogroup
+ExecStart=-/usr/lib/git-core/git-daemon --inetd --base-path=/home/git/repos --verbose
+StandardInput=socket
+StandardOutput=inherit
+StandardError=journal
diff --git a/roles/git_server/files/git-daemon.socket b/roles/git_server/files/git-daemon.socket
new file mode 100644
index 0000000..3dec01d
--- /dev/null
+++ b/roles/git_server/files/git-daemon.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=Git Activation Socket
+
+[Socket]
+ListenStream=9418
+Accept=true
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/git_server/tasks/cgit.yml b/roles/git_server/tasks/cgit.yml
new file mode 100644
index 0000000..fff0d93
--- /dev/null
+++ b/roles/git_server/tasks/cgit.yml
@@ -0,0 +1,50 @@
+- name: install cgit
+  apt: name=cgit
+
+- name: enable modules for Apache
+  shell:
+    "a2enmod {{ item }}"
+  with_items:
+    - cgi
+    - rewrite
+
+- name: create empty dir as cgi docroot
+  file:
+    state: directory
+    path: /var/lib/misc/cgit-docroot
+    owner: root
+    group: root
+    mode: 0755
+
+- name: create directories for Apache log files
+  file:
+    state: directory
+    path: "/var/log/apache2/{{ item }}"
+    owner: root
+    group: root
+    mode: 0755
+  with_items: "{{ cgit_hosts }}"
+
+# This only works with exactly one item in cgit_hosts. To be fixed if
+# there's need for more someday.
+- name: install cgitrc
+  template:
+    src: cgitrc.j2
+    dest: /etc/cgitrc
+    owner: root
+    group: root
+    mode: 0755
+  with_items: "{{ cgit_hosts }}"
+
+- name: install apache virtualhosts
+  template:
+    src: apache-cgit-host.j2
+    dest: "/etc/apache2/sites-available/{{ item }}.conf"
+    owner: root
+    group: root
+    mode: 0755
+  with_items: "{{ cgit_hosts }}"
+    
+- name: enable virtualhosts
+  shell: "a2ensite {{ item }}"
+  with_items: "{{ cgit_hosts }}"
diff --git a/roles/git_server/tasks/git-daemon.yml b/roles/git_server/tasks/git-daemon.yml
new file mode 100644
index 0000000..e3e15f1
--- /dev/null
+++ b/roles/git_server/tasks/git-daemon.yml
@@ -0,0 +1,22 @@
+- name: copy over git-daemon.service
+  copy:
+    src: git-daemon.service
+    dest: /lib/systemd/system/git-daemon@.service
+    owner: root
+    group: root
+    mode: 0644
+
+- name: copy over git-daemon.socket
+  copy:
+    src: git-daemon.socket
+    dest: /lib/systemd/system/git-daemon.socket
+    owner: root
+    group: root
+    mode: 0644
+
+- name: start git-daemon.socket
+  systemd:
+    name: git-daemon.socket
+    daemon_reload: yes
+    state: started
+    enabled: yes
diff --git a/roles/git_server/tasks/gitano.yml b/roles/git_server/tasks/gitano.yml
new file mode 100644
index 0000000..7d7b4fb
--- /dev/null
+++ b/roles/git_server/tasks/gitano.yml
@@ -0,0 +1,43 @@
+- name: install gitano
+  apt: name=gitano
+
+- name: create Unix user git
+  user:
+    name: git
+    comment: "Gitano server"
+    system: yes
+
+- name: install bypass ssh key to git user auth keys
+  authorized_key:
+    user: git
+    state: present
+    key: "{{ lookup('file', gitano_bypass_pub) }}"
+
+- name: copy over gitano admin public key
+  copy:
+    src: "{{ gitano_admin_pub }}"
+    dest: /home/git/admin.pub
+    owner: git
+    group: git
+    mode: 0644
+
+- name: copy over gitano bypass public key
+  copy:
+    src: "{{ gitano_bypass_pub }}"
+    dest: /home/git/bypass.pub
+    owner: git
+    group: git
+    mode: 0644
+
+- name: "copy over gitano-setup.answers"
+  template:
+    src: gitano-setup.answers
+    dest: /home/git/gitano-setup.answers
+    owner: git
+    group: git
+    mode: 0644
+
+- name: run gitano-setup
+  shell: sudo -i -u git gitano-setup /home/git/gitano-setup.answers
+  args:
+    creates: /home/git/repos
diff --git a/roles/git_server/tasks/main.yml b/roles/git_server/tasks/main.yml
new file mode 100644
index 0000000..08486fa
--- /dev/null
+++ b/roles/git_server/tasks/main.yml
@@ -0,0 +1,3 @@
+- include: gitano.yml
+- include: git-daemon.yml
+- include: cgit.yml
diff --git a/roles/git_server/templates/apache-cgit-host.j2 b/roles/git_server/templates/apache-cgit-host.j2
new file mode 100644
index 0000000..2f9eeb0
--- /dev/null
+++ b/roles/git_server/templates/apache-cgit-host.j2
@@ -0,0 +1,37 @@
+<VirtualHost *:80>
+    ServerName {{ item }}
+    ServerAdmin root@localhost
+    DocumentRoot /var/lib/misc/cgit-docroot
+    ErrorLog /var/log/apache2/{{ item }}/error.log
+    CustomLog /var/log/apache2/{{ item }}/access.log combined
+
+    ScriptAlias /cgi-bin/cgit/ /usr/lib/cgit/
+    ScriptAlias /cgi-bin/ /usr/lib/cgit/
+
+    <Directory "/usr/lib/cgit">
+        AllowOverride None
+        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+        Require all granted
+    </Directory>
+
+    # CGIT stuff
+    DirectoryIndex /cgi-bin/cgit.cgi
+    Alias /cgit.png /usr/share/cgit/cgit.png
+    Alias /cgit.css /usr/share/cgit/cgit.css
+    <Directory "/home/git/repos">
+        Options FollowSymlinks Indexes
+        AllowOverride none
+        Require all granted
+    </Directory>
+
+    <Location />
+       Require all granted
+    </Location>
+
+    RewriteEngine on
+    RewriteCond %{REQUEST_FILENAME} !-f
+    RewriteCond %{REQUEST_FILENAME} !-d
+    RewriteCond %{REQUEST_FILENAME} !cgit
+    RewriteRule ^.* /cgi-bin/cgit.cgi/$0 [L,PT]
+
+</VirtualHost>
diff --git a/roles/git_server/templates/cgitrc.j2 b/roles/git_server/templates/cgitrc.j2
new file mode 100644
index 0000000..4e518cf
--- /dev/null
+++ b/roles/git_server/templates/cgitrc.j2
@@ -0,0 +1,49 @@
+# Enable caching of up to 1000 output entriess
+cache-size=1000
+
+# Specify some default clone prefixes
+clone-prefix=git://{{ item }}
+
+# Specify the css url
+css=/cgit.css
+
+# Specify the logo url
+logo=/cgit.png
+
+# Show extra links for each repository on the index page
+enable-index-links=1
+
+# Show number of affected files per commit on the log pages
+enable-log-filecount=1
+
+# Show number of added/removed lines per commit on the log pages
+enable-log-linecount=1
+
+# Set the title and heading of the repository index page
+root-title={{ item }}
+root-desc=git repositories for {{ item }}
+
+# Allow download of tar.gz, tar.bz2 and zip-files
+snapshots=tar.gz
+
+#source-filter=/usr/lib/cgit/filters/syntax-highlighting.sh
+
+remove-suffix=1
+
+enable-git-config=1
+
+strict-export=git-daemon-export-ok
+
+scan-path=/home/git/repos
+
+virtual-root=/
+
+##
+## List of common mimetypes
+##
+mimetype.git=image/git
+mimetype.html=text/html
+mimetype.jpg=image/jpeg
+mimetype.pdf=application/pdf
+mimetype.png=image/png
+mimetype.svg=image/svg+xml
diff --git a/roles/git_server/templates/gitano-setup.answers b/roles/git_server/templates/gitano-setup.answers
new file mode 100644
index 0000000..9c7711e
--- /dev/null
+++ b/roles/git_server/templates/gitano-setup.answers
@@ -0,0 +1,11 @@
+setup.batch "yes"
+paths.bypasskey "/home/git/bypass.pub"
+paths.home "/home/git"
+paths.ssh "/home/git/.ssh"
+paths.pubkey "/home/git/admin.pub"
+paths.repos "/home/git/repos"
+admin.username "admin"
+admin.realname "Administrator"
+admin.email "admin@administrator.local"
+site.name "{{ gitano_site_name }}"
+log.prefix "{{ gitano_log_prefix }}"
diff --git a/roles/web_server/README b/roles/web_server/README
new file mode 100644
index 0000000..61ab80d
--- /dev/null
+++ b/roles/web_server/README
@@ -0,0 +1,4 @@
+This role provides a web server for static sites using Apache. More
+dynamic sites can be built on top by other roles by enablind Apache
+modules and adding sites with suitable configs.
+
diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml
new file mode 100644
index 0000000..cfa797c
--- /dev/null
+++ b/roles/web_server/defaults/main.yml
@@ -0,0 +1,17 @@
+# List of domains names for static sites served by this host. This
+# should be a list of dicts with the following fields:
+#
+#       domain: the domain name
+#       alias: another domain name that is also for this site
+#       owner: local Unix user of site owner
+#       ownermail: email address for the site owner
+#
+# Example:
+#
+#       static_sites:
+#       - domain: liw.fi
+#         alias: www.liw.fi
+#         owner: liw
+#         ownermail: liw@liw.fi
+
+static_sites: []
diff --git a/roles/web_server/handlers/main.yml b/roles/web_server/handlers/main.yml
new file mode 100644
index 0000000..24f6f27
--- /dev/null
+++ b/roles/web_server/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart apache
+  systemd:
+    name: apache2
+    state: restarted
\ No newline at end of file
diff --git a/roles/web_server/tasks/main.yml b/roles/web_server/tasks/main.yml
new file mode 100644
index 0000000..8a14b35
--- /dev/null
+++ b/roles/web_server/tasks/main.yml
@@ -0,0 +1,38 @@
+- name: install rsync (so one can publish files via server)
+  apt: name=rsync
+
+- name: install apache2
+  apt: name=apache2
+
+- name: create dirs for static site contents
+  file:
+    state: directory
+    path: "/srv/http/{{ item.domain }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.owner }}"
+    mode: 0755
+  with_items: "{{ static_sites }}"
+
+- name: create log dirs for websites
+  file:
+    state: directory
+    path: "/var/log/apache2/{{ item.domain }}"
+    owner: www-data
+    group: www-data
+    mode: 0755
+  with_items: "{{ static_sites }}"
+
+- name: configure apache to serve static sites
+  template:
+    src: virtualhost.conf.tmpl
+    dest: "/etc/apache2/sites-available/{{ item.domain }}.conf"
+    owner: root
+    group: root
+    mode: 0644
+  with_items: "{{ static_sites }}"
+
+- name: enable apache sites
+  shell: a2ensite "{{ item.domain }}"
+  with_items: "{{ static_sites }}"
+  notify:
+    - restart apache
diff --git a/roles/web_server/templates/virtualhost.conf.tmpl b/roles/web_server/templates/virtualhost.conf.tmpl
new file mode 100644
index 0000000..6afdd41
--- /dev/null
+++ b/roles/web_server/templates/virtualhost.conf.tmpl
@@ -0,0 +1,14 @@
+<VirtualHost *:80>
+    ServerName {{ item.domain }}
+{% if item.alias is defined %}
+    ServerAlias {{ item.alias }}
+{% endif %}
+    ServerAdmin {{ item.ownermail }}
+    DocumentRoot /srv/http/{{ item.domain }}
+    ErrorLog /var/log/apache2/{{ item.domain }}/error.log
+    CustomLog /var/log/apache2/{{ item.domain }}/access.log combined
+    <Directory /srv/http/{{ item.domain }}>
+        Options +SymlinksIfOwnerMatch +Indexes
+        Require all granted
+    </Directory>
+</VirtualHost>
-- 
cgit v1.2.1