From 3fdbe1b0ba2d910aa3b5ca98a8fcb6117fe34276 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 1 Sep 2013 20:17:21 -0300 Subject: Adding gitolite.rc for wheezy --- files/gitolite.rc | 235 ---------------------------------------------- files/gitolite.rc.squeeze | 235 ++++++++++++++++++++++++++++++++++++++++++++++ files/gitolite.rc.wheezy | 96 +++++++++++++++++++ manifests/gitolite.pp | 2 +- 4 files changed, 332 insertions(+), 236 deletions(-) delete mode 100644 files/gitolite.rc create mode 100644 files/gitolite.rc.squeeze create mode 100644 files/gitolite.rc.wheezy diff --git a/files/gitolite.rc b/files/gitolite.rc deleted file mode 100644 index 141d2b9..0000000 --- a/files/gitolite.rc +++ /dev/null @@ -1,235 +0,0 @@ -# paths and configuration variables for gitolite - -$GL_PACKAGE_CONF="/etc/gitolite"; -$GL_PACKAGE_HOOKS="/usr/share/gitolite/hooks"; - -# please read comments before editing - -# this file is meant to be pulled into a perl program using "do" or "require". - -# You do NOT need to know perl to edit the paths; it should be fairly -# self-explanatory and easy to maintain perl syntax :-) - -# -------------------------------------- -# Do not uncomment these values unless you know what you're doing -# $GL_PACKAGE_CONF = ""; -# $GL_PACKAGE_HOOKS = ""; - -# -------------------------------------- - -# -------------------------------------- - -# this is where the repos go. If you provide a relative path (not starting -# with "/"), it's relative to your $HOME. You may want to put in something -# like "/bigdisk" or whatever if your $HOME is too small for the repos, for -# example - -$REPO_BASE="repositories"; - -# the default umask for repositories is 0077; change this if you run stuff -# like gitweb and find it can't read the repos. Please note the syntax; the -# leading 0 is required - -# $REPO_UMASK = 0077; # gets you 'rwx------' -# $REPO_UMASK = 0027; # gets you 'rwxr-x---' -$REPO_UMASK = 0022; # gets you 'rwxr-xr-x' - -# part of the setup of gitweb is a variable called $projects_list (please see -# gitweb documentation for more on this). Set this to the same value: - -$PROJECTS_LIST = $ENV{HOME} . "/projects.list"; - -# -------------------------------------- - -# I see no reason anyone may want to change the gitolite admin directory, but -# feel free to do so. However, please note that it *must* be an *absolute* -# path (i.e., starting with a "/" character) - -# gitolite admin directory, files, etc - -$GL_ADMINDIR=$ENV{HOME} . "/.gitolite"; - -# -------------------------------------- - -# templates for location of the log files and format of their names - -# I prefer this template (note the %y and %m placeholders) -# it produces files like `~/.gitolite/logs/gitolite-2009-09.log` - -$GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m.log"; - -# other choices are below, or you can make your own -- but PLEASE MAKE SURE -# the directory exists and is writable; gitolite won't do that for you (unless -# it is the default, which is "$GL_ADMINDIR/logs") - -# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m-%d.log"; -# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y.log"; - -# -------------------------------------- - -# Please DO NOT change these three paths - -$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf"; -$GL_KEYDIR="$GL_ADMINDIR/keydir"; -$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm"; - -# -------------------------------------- - -# if git on your server is on a standard path (that is -# ssh git@server git --version -# works), leave this setting as is. Otherwise, choose one of the -# alternatives, or write your own - -$GIT_PATH=""; -# $GIT_PATH="/opt/bin/"; - -# -------------------------------------- - -# ---------------------------------------------------------------------- -# BIG CONFIG SETTINGS - -# Please read doc/big-config.mkd for details - -$GL_BIG_CONFIG = 0; -$GL_NO_DAEMON_NO_GITWEB = 0; -$GL_NO_CREATE_REPOS = 0; -$GL_NO_SETUP_AUTHKEYS = 0; - -# ---------------------------------------------------------------------- -# SECURITY SENSITIVE SETTINGS -# -# Settings below this point may have security implications. That -# usually means that I have not thought hard enough about all the -# possible ways to crack security if these settings are enabled. - -# Please see details on each setting for specifics, if any. -# ---------------------------------------------------------------------- - - - -# -------------------------------------- -# ALLOW REPO ADMIN TO SET GITCONFIG KEYS -# -# Gitolite allows you to set git repo options using the "config" keyword; see -# conf/example.conf for details and syntax. -# -# However, if you are in an installation where the repo admin does not (and -# should not) have shell access to the server, then allowing him to set -# arbitrary repo config options *may* be a security risk -- some config -# settings may allow executing arbitrary commands. -# -# You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, which -# completely disables this feature (meaning you cannot set git configs from -# the repo config). - -$GL_GITCONFIG_KEYS = ""; - -# The second choice is to give it a space separated list of settings you -# consider safe. (These are actually treated as a set of regular expression -# patterns, and any one of them must match). For example: -# $GL_GITCONFIG_KEYS = "core\.logAllRefUpdates core\..*compression"; -# allows repo admins to set one of those 3 config keys (yes, that second -# pattern matches two settings from "man git-config", if you look) -# -# The third choice (which you may have guessed already if you're familiar with -# regular expressions) is to allow anything and everything: -# $GL_GITCONFIG_KEYS = ".*"; - -# -------------------------------------- -# EXTERNAL COMMAND HELPER -- HTPASSWD - -# security note: runs an external command (htpasswd) with specific arguments, -# including a user-chosen "password". - -# if you want to enable the "htpasswd" command, give this the absolute path to -# whatever file apache (etc) expect to find the passwords in. - -$HTPASSWD_FILE = ""; - -# Look in doc/3 ("easier to link gitweb authorisation with gitolite" section) -# for more details on using this feature. - -# -------------------------------------- -# EXTERNAL COMMAND HELPER -- RSYNC - -# security note: runs an external command (rsync) with specific arguments, all -# presumably filled in correctly by the client-side rsync. - -# base path of all the files that are accessible via rsync. Must be an -# absolute path. Leave it undefined or set to the empty string to disable the -# rsync helper. - -$RSYNC_BASE = ""; - -# $RSYNC_BASE = "/home/git/up-down"; -# $RSYNC_BASE = "/tmp/up-down"; - -# -------------------------------------- -# EXTERNAL COMMAND HELPER -- SVNSERVE - -# security note: runs an external command (svnserve) with specific arguments, -# as specified below. %u is substituted with the username. - -# This setting allows launching svnserve when requested by the ssh client. -# This allows using the same SSH setup (hostname/username/public key) for both -# SVN and git access. Leave it undefined or set to the empty string to disable -# svnserve access. - -$SVNSERVE = ""; -# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u"; - -# -------------------------------------- -# ALLOW REPO CONFIG TO USE WILDCARDS - -# security note: this used to in a separate "wildrepos" branch. You can -# create repositories based on wild cards, give "ownership" to the specific -# user who created it, allow him/her to hand out R and RW permissions to other -# users to collaborate, etc. This is powerful stuff, and I've made it as -# secure as I can, but it hasn't had the kind of rigorous line-by-line -# analysis that the old "master" branch had. - -# This has now been rolled into master, with all the functionality gated by -# this variable. Set this to 1 if you want to enable the wildrepos features. -# Please see doc/4-wildcard-repositories.mkd for details. - -$GL_WILDREPOS = 0; - -# -------------------------------------- -# DEFAULT WILDCARD PERMISSIONS - -# If set, this value will be used as the default user-level permission rule of -# new wildcard repositories. The user can change this value with the setperms command -# as desired after repository creation; it is only a default. Note that @all can be -# used here but is special; no other groups can be used in user-level permissions. - -# $GL_WILDREPOS_DEFPERMS = 'R = @all'; - -# -------------------------------------- -# HOOK CHAINING - -# by default, the update hook in every repo chains to "update.secondary". -# Similarly, the post-update hook in the admin repo chains to -# "post-update.secondary". If you're fine with the defaults, there's no need -# to do anything here. However, if you want to use different names or paths, -# change these variables - -# $UPDATE_CHAINS_TO = "hooks/update.secondary"; -# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; - -# -------------------------------------- -# ADMIN DEFINED COMMANDS - -# WARNING: Use this feature only if (a) you really really know what you're -# doing or (b) you really don't care too much about security. Please read -# doc/admin-defined-commands.mkd for details. - -# $GL_ADC_PATH = ""; - -# -------------------------------------- -# per perl rules, this should be the last line in such a file: -1; - -# Local variables: -# mode: perl -# End: -# vim: set syn=perl: diff --git a/files/gitolite.rc.squeeze b/files/gitolite.rc.squeeze new file mode 100644 index 0000000..141d2b9 --- /dev/null +++ b/files/gitolite.rc.squeeze @@ -0,0 +1,235 @@ +# paths and configuration variables for gitolite + +$GL_PACKAGE_CONF="/etc/gitolite"; +$GL_PACKAGE_HOOKS="/usr/share/gitolite/hooks"; + +# please read comments before editing + +# this file is meant to be pulled into a perl program using "do" or "require". + +# You do NOT need to know perl to edit the paths; it should be fairly +# self-explanatory and easy to maintain perl syntax :-) + +# -------------------------------------- +# Do not uncomment these values unless you know what you're doing +# $GL_PACKAGE_CONF = ""; +# $GL_PACKAGE_HOOKS = ""; + +# -------------------------------------- + +# -------------------------------------- + +# this is where the repos go. If you provide a relative path (not starting +# with "/"), it's relative to your $HOME. You may want to put in something +# like "/bigdisk" or whatever if your $HOME is too small for the repos, for +# example + +$REPO_BASE="repositories"; + +# the default umask for repositories is 0077; change this if you run stuff +# like gitweb and find it can't read the repos. Please note the syntax; the +# leading 0 is required + +# $REPO_UMASK = 0077; # gets you 'rwx------' +# $REPO_UMASK = 0027; # gets you 'rwxr-x---' +$REPO_UMASK = 0022; # gets you 'rwxr-xr-x' + +# part of the setup of gitweb is a variable called $projects_list (please see +# gitweb documentation for more on this). Set this to the same value: + +$PROJECTS_LIST = $ENV{HOME} . "/projects.list"; + +# -------------------------------------- + +# I see no reason anyone may want to change the gitolite admin directory, but +# feel free to do so. However, please note that it *must* be an *absolute* +# path (i.e., starting with a "/" character) + +# gitolite admin directory, files, etc + +$GL_ADMINDIR=$ENV{HOME} . "/.gitolite"; + +# -------------------------------------- + +# templates for location of the log files and format of their names + +# I prefer this template (note the %y and %m placeholders) +# it produces files like `~/.gitolite/logs/gitolite-2009-09.log` + +$GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m.log"; + +# other choices are below, or you can make your own -- but PLEASE MAKE SURE +# the directory exists and is writable; gitolite won't do that for you (unless +# it is the default, which is "$GL_ADMINDIR/logs") + +# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m-%d.log"; +# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y.log"; + +# -------------------------------------- + +# Please DO NOT change these three paths + +$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf"; +$GL_KEYDIR="$GL_ADMINDIR/keydir"; +$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm"; + +# -------------------------------------- + +# if git on your server is on a standard path (that is +# ssh git@server git --version +# works), leave this setting as is. Otherwise, choose one of the +# alternatives, or write your own + +$GIT_PATH=""; +# $GIT_PATH="/opt/bin/"; + +# -------------------------------------- + +# ---------------------------------------------------------------------- +# BIG CONFIG SETTINGS + +# Please read doc/big-config.mkd for details + +$GL_BIG_CONFIG = 0; +$GL_NO_DAEMON_NO_GITWEB = 0; +$GL_NO_CREATE_REPOS = 0; +$GL_NO_SETUP_AUTHKEYS = 0; + +# ---------------------------------------------------------------------- +# SECURITY SENSITIVE SETTINGS +# +# Settings below this point may have security implications. That +# usually means that I have not thought hard enough about all the +# possible ways to crack security if these settings are enabled. + +# Please see details on each setting for specifics, if any. +# ---------------------------------------------------------------------- + + + +# -------------------------------------- +# ALLOW REPO ADMIN TO SET GITCONFIG KEYS +# +# Gitolite allows you to set git repo options using the "config" keyword; see +# conf/example.conf for details and syntax. +# +# However, if you are in an installation where the repo admin does not (and +# should not) have shell access to the server, then allowing him to set +# arbitrary repo config options *may* be a security risk -- some config +# settings may allow executing arbitrary commands. +# +# You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, which +# completely disables this feature (meaning you cannot set git configs from +# the repo config). + +$GL_GITCONFIG_KEYS = ""; + +# The second choice is to give it a space separated list of settings you +# consider safe. (These are actually treated as a set of regular expression +# patterns, and any one of them must match). For example: +# $GL_GITCONFIG_KEYS = "core\.logAllRefUpdates core\..*compression"; +# allows repo admins to set one of those 3 config keys (yes, that second +# pattern matches two settings from "man git-config", if you look) +# +# The third choice (which you may have guessed already if you're familiar with +# regular expressions) is to allow anything and everything: +# $GL_GITCONFIG_KEYS = ".*"; + +# -------------------------------------- +# EXTERNAL COMMAND HELPER -- HTPASSWD + +# security note: runs an external command (htpasswd) with specific arguments, +# including a user-chosen "password". + +# if you want to enable the "htpasswd" command, give this the absolute path to +# whatever file apache (etc) expect to find the passwords in. + +$HTPASSWD_FILE = ""; + +# Look in doc/3 ("easier to link gitweb authorisation with gitolite" section) +# for more details on using this feature. + +# -------------------------------------- +# EXTERNAL COMMAND HELPER -- RSYNC + +# security note: runs an external command (rsync) with specific arguments, all +# presumably filled in correctly by the client-side rsync. + +# base path of all the files that are accessible via rsync. Must be an +# absolute path. Leave it undefined or set to the empty string to disable the +# rsync helper. + +$RSYNC_BASE = ""; + +# $RSYNC_BASE = "/home/git/up-down"; +# $RSYNC_BASE = "/tmp/up-down"; + +# -------------------------------------- +# EXTERNAL COMMAND HELPER -- SVNSERVE + +# security note: runs an external command (svnserve) with specific arguments, +# as specified below. %u is substituted with the username. + +# This setting allows launching svnserve when requested by the ssh client. +# This allows using the same SSH setup (hostname/username/public key) for both +# SVN and git access. Leave it undefined or set to the empty string to disable +# svnserve access. + +$SVNSERVE = ""; +# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u"; + +# -------------------------------------- +# ALLOW REPO CONFIG TO USE WILDCARDS + +# security note: this used to in a separate "wildrepos" branch. You can +# create repositories based on wild cards, give "ownership" to the specific +# user who created it, allow him/her to hand out R and RW permissions to other +# users to collaborate, etc. This is powerful stuff, and I've made it as +# secure as I can, but it hasn't had the kind of rigorous line-by-line +# analysis that the old "master" branch had. + +# This has now been rolled into master, with all the functionality gated by +# this variable. Set this to 1 if you want to enable the wildrepos features. +# Please see doc/4-wildcard-repositories.mkd for details. + +$GL_WILDREPOS = 0; + +# -------------------------------------- +# DEFAULT WILDCARD PERMISSIONS + +# If set, this value will be used as the default user-level permission rule of +# new wildcard repositories. The user can change this value with the setperms command +# as desired after repository creation; it is only a default. Note that @all can be +# used here but is special; no other groups can be used in user-level permissions. + +# $GL_WILDREPOS_DEFPERMS = 'R = @all'; + +# -------------------------------------- +# HOOK CHAINING + +# by default, the update hook in every repo chains to "update.secondary". +# Similarly, the post-update hook in the admin repo chains to +# "post-update.secondary". If you're fine with the defaults, there's no need +# to do anything here. However, if you want to use different names or paths, +# change these variables + +# $UPDATE_CHAINS_TO = "hooks/update.secondary"; +# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; + +# -------------------------------------- +# ADMIN DEFINED COMMANDS + +# WARNING: Use this feature only if (a) you really really know what you're +# doing or (b) you really don't care too much about security. Please read +# doc/admin-defined-commands.mkd for details. + +# $GL_ADC_PATH = ""; + +# -------------------------------------- +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/files/gitolite.rc.wheezy b/files/gitolite.rc.wheezy new file mode 100644 index 0000000..a6b5da3 --- /dev/null +++ b/files/gitolite.rc.wheezy @@ -0,0 +1,96 @@ +# configuration variables for gitolite + +# PLEASE READ THE DOCUMENTATION BEFORE EDITING OR ASKING QUESTIONS +# ( http://github.com/sitaramc/gitolite/blob/pu/doc/gitolite.rc.mkd ) +# ( or http://sitaramc.github.com/gitolite/doc/gitolite.rc.html ) + +# this file is in perl syntax. However, you do NOT need to know perl to edit +# it; it should be fairly self-explanatory and easy to maintain + +# ------------------------------------------------------------------------------ +# DO NOT TOUCH THIS SECTION! +# ------------------------------------------------------------------------------ + +$GL_ADMINDIR=$ENV{HOME} . "/.gitolite"; +$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf"; +$GL_KEYDIR="$GL_ADMINDIR/keydir"; +$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm"; + +# DO NOT CHANGE THE NEXT FOUR LINES UNLESS YOU REALLY KNOW WHAT YOU'RE DOING. +# These variables are set automatically by the install method you choose. +# (PACKAGE MAINTAINERS: PLEASE READ doc/packaging.mkd) +$GL_PACKAGE_CONF = "/usr/share/gitolite/conf"; +$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks"; + +# ------------------------------------------------------------------------------ +# most often used/changed variables +# ------------------------------------------------------------------------------ +$GL_WILDREPOS = 0; +$PROJECTS_LIST = $ENV{HOME} . "/projects.list"; +# $WEB_INTERFACE = "gitweb"; +# $GITWEB_URI_ESCAPE = 0; +$REPO_UMASK = 0077; + +# ------------------------------------------------------------------------------ +# variables with an efficiency/performance impact +# ------------------------------------------------------------------------------ +$GL_BIG_CONFIG = 0; +$GL_NO_DAEMON_NO_GITWEB = 0; +# $GL_NICE_VALUE = 0; +# $BIG_INFO_CAP = 20; + +# ------------------------------------------------------------------------------ +# VARIABLES WITH A SECURITY IMPACT. READ DOCS BEFORE CHANGING THESE! +# http://github.com/sitaramc/gitolite/blob/pu/doc/gitolite.rc.mkd#_variables_with_a_security_impact +# (or http://sitaramc.github.com/gitolite/doc/gitolite.rc.html#_variables_with_a_security_impact) +# ------------------------------------------------------------------------------ +# $GL_ALL_READ_ALL = 0; +$GIT_PATH=""; +$GL_GITCONFIG_KEYS = ""; +$GL_NO_CREATE_REPOS = 0; +$GL_NO_SETUP_AUTHKEYS = 0; +# $GL_WILDREPOS_DEFPERMS = 'R @all'; +$HTPASSWD_FILE = ""; +$RSYNC_BASE = ""; +$SVNSERVE = ""; +# $UPDATE_CHAINS_TO = "hooks/update.secondary"; +# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; +# $GL_ADC_PATH = ""; +# $GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" +# $GL_HTTP_ANON_USER = "mob"; +# $GL_REF_OR_FILENAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._\@/+ :,-]*$); + +# ------------------------------------------------------------------------------ +# less used/changed variables +# ------------------------------------------------------------------------------ +# $GL_ALL_INCLUDES_SPECIAL = 0; +# $GL_SLAVE_MODE = 0; +# $ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3'; +# PLEASE USE SINGLE QUOTES ABOVE, NOT DOUBLE QUOTES +$GL_WILDREPOS_PERM_CATS = "READERS WRITERS"; +# $GL_SITE_INFO = "XYZ.COM DEVELOPERS: PLEASE SEE http://xyz.com/gitolite/help first"; +# $GL_HOSTNAME = "frodo"; # read doc/mirroring.mkd COMPLETELY before setting this + +# ------------------------------------------------------------------------------ +# rarely changed variables +# ------------------------------------------------------------------------------ +$GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m.log"; +# $GL_PERFLOGT="$GL_ADMINDIR/logs/perf-gitolite-%y-%m.log"; + +# ------------------------------------------------------------------------------ +# variables that should NOT be changed after the install step completes +# ------------------------------------------------------------------------------ +$REPO_BASE="repositories"; + +# ------------------------------------------------------------------------------ +# DO NOT TOUCH ANY THING AFTER THIS LINE +# ------------------------------------------------------------------------------ + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/manifests/gitolite.pp b/manifests/gitolite.pp index 9bdf0f1..68d655e 100644 --- a/manifests/gitolite.pp +++ b/manifests/gitolite.pp @@ -73,7 +73,7 @@ class gitolite inherits git { owner => gitolite, group => gitolite, mode => 0644, - source => "puppet:///modules/git/gitolite.rc", + source => "puppet:///modules/git/gitolite.rc.${::lsbdistcodename}", require => [ File['/var/git'], User['gitolite'] ], } -- cgit v1.2.3