diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2013-04-10 13:13:54 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2013-04-10 13:13:54 -0300 |
| commit | 3b636391f7ea17d89f15a4ede65a82eeef44198b (patch) | |
| tree | 0c25ae4bab7676e5fb2b685e1cb3529709b2b7f7 /manifests/instance.pp | |
| parent | 6a1d968b0b695343e0e5e868720d6c329c55a611 (diff) | |
| download | puppet-ikiwiki-3b636391f7ea17d89f15a4ede65a82eeef44198b.tar.gz puppet-ikiwiki-3b636391f7ea17d89f15a4ede65a82eeef44198b.tar.bz2 | |
Refactor to not use setuid and not bypass the git daemon
Diffstat (limited to 'manifests/instance.pp')
| -rw-r--r-- | manifests/instance.pp | 53 |
1 files changed, 29 insertions, 24 deletions
diff --git a/manifests/instance.pp b/manifests/instance.pp index 3c76365..f6c635f 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -1,7 +1,7 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false, $adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki', $account_creation_password = false, $add_plugins = false, $disable_plugins = false, - $protocol = 'https') { + $protocol = 'https', $owner = $name, $group = $name) { $desc = $description ? { false => $title, @@ -13,23 +13,30 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description file { "/etc/ikiwiki/$name.setup": ensure => present, content => template('ikiwiki/ikiwiki.setup.erb'), - owner => www-data, - group => www-data, + owner => root, + group => $owner, mode => 640, notify => Exec["ikiwiki_refresh_${name}"], } - exec { "ikiwiki_refresh_${name}": - command => "/usr/local/sbin/ikiwiki-refresh $name $instance", + exec { "ikiwiki_refresh_${name}_${instance}": + command => "/usr/local/sbin/ikiwiki-refresh $name $instance $owner $group", user => root, refreshonly => true, } - + + exec { "ssh-keygen-ikiwiki-${name}_${instance}": + command => "ssh-keygen -t rsa -P '' -f ${ikiwiki::sites_folder}/${name}/.ssh/id_rsa": + creates => "${ikiwiki::sites_folder}/${name}/.ssh/id_rsa", + user => $owner, + group => $group, + } + if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}_src"]) { file { "${ikiwiki::sites_folder}/${name}/${instance}_src": ensure => directory, - owner => www-data, - group => www-data, + owner => $owner, + group => $group, recurse => true, notify => Exec["ikiwiki_refresh_${name}"], require => File["${ikiwiki::sites_folder}/${name}"], @@ -39,8 +46,8 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}"]) { file { "${ikiwiki::sites_folder}/${name}/${instance}": ensure => directory, - owner => www-data, - group => www-data, + owner => $owner, + group => $group, recurse => true, require => File["${ikiwiki::sites_folder}/${name}"], } @@ -54,21 +61,19 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description } } - # The post-update hook should have www-data as owner so - # gitolite can do a setuid to it and write to ikiwiki - # folders without messing the permission scheme. - # - # The same is valid for the cgi. - # - # See http://ikiwiki.info/rcs/git/ - # http://ikiwiki.info/forum/multi-user_setup_of_ikiwiki__44___gitolite_and_apache2_in_Debian_Sid/ - # - file { [ "/var/git/repositories/${name}.git/hooks/post-update", - "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi" ]: + file { "/var/git/repositories/${name}.git/hooks/post-update": + ensure => present, + owner => $ikiwiki::git_implementation, + group => $ikiwiki::git_implementation, + mode => 0755, + require => File["/etc/ikiwiki/$name.setup"], + } + + file { "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi": ensure => present, - owner => www-data, - group => gitolite, - mode => 6550, + owner => $owner, + group => $group, + mode => 0550, require => File["/etc/ikiwiki/$name.setup"], } } |