aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2012-12-22 17:37:37 -0200
committerSilvio Rhatto <rhatto@riseup.net>2012-12-22 17:37:37 -0200
commit4c87436ad2317af3e8af88c409f0a47225b163a8 (patch)
treed10f5e3468ac9be016bdec3ceef27e60acce9e01
parent688256dfdd7a094a2bdfea8c23570257178cca8c (diff)
downloadpuppet-git-4c87436ad2317af3e8af88c409f0a47225b163a8.tar.gz
puppet-git-4c87436ad2317af3e8af88c409f0a47225b163a8.tar.bz2
Adding gitolite config
-rw-r--r--files/gitolite.rc235
-rw-r--r--manifests/gitolite.pp18
2 files changed, 253 insertions, 0 deletions
diff --git a/files/gitolite.rc b/files/gitolite.rc
new file mode 100644
index 0000000..141d2b9
--- /dev/null
+++ b/files/gitolite.rc
@@ -0,0 +1,235 @@
+# paths and configuration variables for gitolite
+
+$GL_PACKAGE_CONF="/etc/gitolite";
+$GL_PACKAGE_HOOKS="/usr/share/gitolite/hooks";
+
+# please read comments before editing
+
+# this file is meant to be pulled into a perl program using "do" or "require".
+
+# You do NOT need to know perl to edit the paths; it should be fairly
+# self-explanatory and easy to maintain perl syntax :-)
+
+# --------------------------------------
+# Do not uncomment these values unless you know what you're doing
+# $GL_PACKAGE_CONF = "";
+# $GL_PACKAGE_HOOKS = "";
+
+# --------------------------------------
+
+# --------------------------------------
+
+# this is where the repos go. If you provide a relative path (not starting
+# with "/"), it's relative to your $HOME. You may want to put in something
+# like "/bigdisk" or whatever if your $HOME is too small for the repos, for
+# example
+
+$REPO_BASE="repositories";
+
+# the default umask for repositories is 0077; change this if you run stuff
+# like gitweb and find it can't read the repos. Please note the syntax; the
+# leading 0 is required
+
+# $REPO_UMASK = 0077; # gets you 'rwx------'
+# $REPO_UMASK = 0027; # gets you 'rwxr-x---'
+$REPO_UMASK = 0022; # gets you 'rwxr-xr-x'
+
+# part of the setup of gitweb is a variable called $projects_list (please see
+# gitweb documentation for more on this). Set this to the same value:
+
+$PROJECTS_LIST = $ENV{HOME} . "/projects.list";
+
+# --------------------------------------
+
+# I see no reason anyone may want to change the gitolite admin directory, but
+# feel free to do so. However, please note that it *must* be an *absolute*
+# path (i.e., starting with a "/" character)
+
+# gitolite admin directory, files, etc
+
+$GL_ADMINDIR=$ENV{HOME} . "/.gitolite";
+
+# --------------------------------------
+
+# templates for location of the log files and format of their names
+
+# I prefer this template (note the %y and %m placeholders)
+# it produces files like `~/.gitolite/logs/gitolite-2009-09.log`
+
+$GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m.log";
+
+# other choices are below, or you can make your own -- but PLEASE MAKE SURE
+# the directory exists and is writable; gitolite won't do that for you (unless
+# it is the default, which is "$GL_ADMINDIR/logs")
+
+# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m-%d.log";
+# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y.log";
+
+# --------------------------------------
+
+# Please DO NOT change these three paths
+
+$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf";
+$GL_KEYDIR="$GL_ADMINDIR/keydir";
+$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm";
+
+# --------------------------------------
+
+# if git on your server is on a standard path (that is
+# ssh git@server git --version
+# works), leave this setting as is. Otherwise, choose one of the
+# alternatives, or write your own
+
+$GIT_PATH="";
+# $GIT_PATH="/opt/bin/";
+
+# --------------------------------------
+
+# ----------------------------------------------------------------------
+# BIG CONFIG SETTINGS
+
+# Please read doc/big-config.mkd for details
+
+$GL_BIG_CONFIG = 0;
+$GL_NO_DAEMON_NO_GITWEB = 0;
+$GL_NO_CREATE_REPOS = 0;
+$GL_NO_SETUP_AUTHKEYS = 0;
+
+# ----------------------------------------------------------------------
+# SECURITY SENSITIVE SETTINGS
+#
+# Settings below this point may have security implications. That
+# usually means that I have not thought hard enough about all the
+# possible ways to crack security if these settings are enabled.
+
+# Please see details on each setting for specifics, if any.
+# ----------------------------------------------------------------------
+
+
+
+# --------------------------------------
+# ALLOW REPO ADMIN TO SET GITCONFIG KEYS
+#
+# Gitolite allows you to set git repo options using the "config" keyword; see
+# conf/example.conf for details and syntax.
+#
+# However, if you are in an installation where the repo admin does not (and
+# should not) have shell access to the server, then allowing him to set
+# arbitrary repo config options *may* be a security risk -- some config
+# settings may allow executing arbitrary commands.
+#
+# You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, which
+# completely disables this feature (meaning you cannot set git configs from
+# the repo config).
+
+$GL_GITCONFIG_KEYS = "";
+
+# The second choice is to give it a space separated list of settings you
+# consider safe. (These are actually treated as a set of regular expression
+# patterns, and any one of them must match). For example:
+# $GL_GITCONFIG_KEYS = "core\.logAllRefUpdates core\..*compression";
+# allows repo admins to set one of those 3 config keys (yes, that second
+# pattern matches two settings from "man git-config", if you look)
+#
+# The third choice (which you may have guessed already if you're familiar with
+# regular expressions) is to allow anything and everything:
+# $GL_GITCONFIG_KEYS = ".*";
+
+# --------------------------------------
+# EXTERNAL COMMAND HELPER -- HTPASSWD
+
+# security note: runs an external command (htpasswd) with specific arguments,
+# including a user-chosen "password".
+
+# if you want to enable the "htpasswd" command, give this the absolute path to
+# whatever file apache (etc) expect to find the passwords in.
+
+$HTPASSWD_FILE = "";
+
+# Look in doc/3 ("easier to link gitweb authorisation with gitolite" section)
+# for more details on using this feature.
+
+# --------------------------------------
+# EXTERNAL COMMAND HELPER -- RSYNC
+
+# security note: runs an external command (rsync) with specific arguments, all
+# presumably filled in correctly by the client-side rsync.
+
+# base path of all the files that are accessible via rsync. Must be an
+# absolute path. Leave it undefined or set to the empty string to disable the
+# rsync helper.
+
+$RSYNC_BASE = "";
+
+# $RSYNC_BASE = "/home/git/up-down";
+# $RSYNC_BASE = "/tmp/up-down";
+
+# --------------------------------------
+# EXTERNAL COMMAND HELPER -- SVNSERVE
+
+# security note: runs an external command (svnserve) with specific arguments,
+# as specified below. %u is substituted with the username.
+
+# This setting allows launching svnserve when requested by the ssh client.
+# This allows using the same SSH setup (hostname/username/public key) for both
+# SVN and git access. Leave it undefined or set to the empty string to disable
+# svnserve access.
+
+$SVNSERVE = "";
+# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u";
+
+# --------------------------------------
+# ALLOW REPO CONFIG TO USE WILDCARDS
+
+# security note: this used to in a separate "wildrepos" branch. You can
+# create repositories based on wild cards, give "ownership" to the specific
+# user who created it, allow him/her to hand out R and RW permissions to other
+# users to collaborate, etc. This is powerful stuff, and I've made it as
+# secure as I can, but it hasn't had the kind of rigorous line-by-line
+# analysis that the old "master" branch had.
+
+# This has now been rolled into master, with all the functionality gated by
+# this variable. Set this to 1 if you want to enable the wildrepos features.
+# Please see doc/4-wildcard-repositories.mkd for details.
+
+$GL_WILDREPOS = 0;
+
+# --------------------------------------
+# DEFAULT WILDCARD PERMISSIONS
+
+# If set, this value will be used as the default user-level permission rule of
+# new wildcard repositories. The user can change this value with the setperms command
+# as desired after repository creation; it is only a default. Note that @all can be
+# used here but is special; no other groups can be used in user-level permissions.
+
+# $GL_WILDREPOS_DEFPERMS = 'R = @all';
+
+# --------------------------------------
+# HOOK CHAINING
+
+# by default, the update hook in every repo chains to "update.secondary".
+# Similarly, the post-update hook in the admin repo chains to
+# "post-update.secondary". If you're fine with the defaults, there's no need
+# to do anything here. However, if you want to use different names or paths,
+# change these variables
+
+# $UPDATE_CHAINS_TO = "hooks/update.secondary";
+# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
+
+# --------------------------------------
+# ADMIN DEFINED COMMANDS
+
+# WARNING: Use this feature only if (a) you really really know what you're
+# doing or (b) you really don't care too much about security. Please read
+# doc/admin-defined-commands.mkd for details.
+
+# $GL_ADC_PATH = "";
+
+# --------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:
diff --git a/manifests/gitolite.pp b/manifests/gitolite.pp
index a2de08a..9bdf0f1 100644
--- a/manifests/gitolite.pp
+++ b/manifests/gitolite.pp
@@ -68,6 +68,24 @@ class gitolite inherits git {
require => User["gitolite"],
}
+ file { "/var/git/.gitolite.rc":
+ ensure => present,
+ owner => gitolite,
+ group => gitolite,
+ mode => 0644,
+ source => "puppet:///modules/git/gitolite.rc",
+ require => [ File['/var/git'], User['gitolite'] ],
+ }
+
+ file { "/var/git/projects.list":
+ ensure => present,
+ owner => gitolite,
+ group => gitolite,
+ mode => 0644,
+ require => [ File['/var/git'], User['gitolite'] ],
+ }
+
+
# mass update script
file { "/usr/local/sbin/git-mass-update-server-info":
ensure => present,