aboutsummaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-04-10 13:13:54 -0300
committerSilvio Rhatto <rhatto@riseup.net>2013-04-10 13:13:54 -0300
commit3b636391f7ea17d89f15a4ede65a82eeef44198b (patch)
tree0c25ae4bab7676e5fb2b685e1cb3529709b2b7f7 /manifests
parent6a1d968b0b695343e0e5e868720d6c329c55a611 (diff)
downloadpuppet-ikiwiki-3b636391f7ea17d89f15a4ede65a82eeef44198b.tar.gz
puppet-ikiwiki-3b636391f7ea17d89f15a4ede65a82eeef44198b.tar.bz2
Refactor to not use setuid and not bypass the git daemon
Diffstat (limited to 'manifests')
-rw-r--r--manifests/instance.pp53
1 files changed, 29 insertions, 24 deletions
diff --git a/manifests/instance.pp b/manifests/instance.pp
index 3c76365..f6c635f 100644
--- a/manifests/instance.pp
+++ b/manifests/instance.pp
@@ -1,7 +1,7 @@
define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false,
$adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki',
$account_creation_password = false, $add_plugins = false, $disable_plugins = false,
- $protocol = 'https') {
+ $protocol = 'https', $owner = $name, $group = $name) {
$desc = $description ? {
false => $title,
@@ -13,23 +13,30 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
file { "/etc/ikiwiki/$name.setup":
ensure => present,
content => template('ikiwiki/ikiwiki.setup.erb'),
- owner => www-data,
- group => www-data,
+ owner => root,
+ group => $owner,
mode => 640,
notify => Exec["ikiwiki_refresh_${name}"],
}
- exec { "ikiwiki_refresh_${name}":
- command => "/usr/local/sbin/ikiwiki-refresh $name $instance",
+ exec { "ikiwiki_refresh_${name}_${instance}":
+ command => "/usr/local/sbin/ikiwiki-refresh $name $instance $owner $group",
user => root,
refreshonly => true,
}
-
+
+ exec { "ssh-keygen-ikiwiki-${name}_${instance}":
+ command => "ssh-keygen -t rsa -P '' -f ${ikiwiki::sites_folder}/${name}/.ssh/id_rsa":
+ creates => "${ikiwiki::sites_folder}/${name}/.ssh/id_rsa",
+ user => $owner,
+ group => $group,
+ }
+
if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}_src"]) {
file { "${ikiwiki::sites_folder}/${name}/${instance}_src":
ensure => directory,
- owner => www-data,
- group => www-data,
+ owner => $owner,
+ group => $group,
recurse => true,
notify => Exec["ikiwiki_refresh_${name}"],
require => File["${ikiwiki::sites_folder}/${name}"],
@@ -39,8 +46,8 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
if !defined(File["${ikiwiki::sites_folder}/${name}/${instance}"]) {
file { "${ikiwiki::sites_folder}/${name}/${instance}":
ensure => directory,
- owner => www-data,
- group => www-data,
+ owner => $owner,
+ group => $group,
recurse => true,
require => File["${ikiwiki::sites_folder}/${name}"],
}
@@ -54,21 +61,19 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description
}
}
- # The post-update hook should have www-data as owner so
- # gitolite can do a setuid to it and write to ikiwiki
- # folders without messing the permission scheme.
- #
- # The same is valid for the cgi.
- #
- # See http://ikiwiki.info/rcs/git/
- # http://ikiwiki.info/forum/multi-user_setup_of_ikiwiki__44___gitolite_and_apache2_in_Debian_Sid/
- #
- file { [ "/var/git/repositories/${name}.git/hooks/post-update",
- "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi" ]:
+ file { "/var/git/repositories/${name}.git/hooks/post-update":
+ ensure => present,
+ owner => $ikiwiki::git_implementation,
+ group => $ikiwiki::git_implementation,
+ mode => 0755,
+ require => File["/etc/ikiwiki/$name.setup"],
+ }
+
+ file { "${ikiwiki::sites_folder}/${name}/${instance}/ikiwiki.cgi":
ensure => present,
- owner => www-data,
- group => gitolite,
- mode => 6550,
+ owner => $owner,
+ group => $group,
+ mode => 0550,
require => File["/etc/ikiwiki/$name.setup"],
}
}