From 03eced123918e226abd0dc2bea98e5969427a2ce Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sun, 1 Nov 2015 19:01:42 +0200
Subject: [PATCH] Update meta, README. remove requirements.txt (wasn't needed,
 not a Python project). Add backup job, dedicated Apache site, configure
 firewall.

---
 README.rst                 |   9 +--
 meta/main.yml              | 131 ++-----------------------------------
 requirements.txt           |   1 -
 tasks/main.yml             |  53 +++++++++++----
 templates/cgit-css.conf.j2 |   1 -
 templates/cgit.conf.j2     |  13 ++++
 templates/cgit.j2          |   3 +
 7 files changed, 66 insertions(+), 145 deletions(-)
 delete mode 100644 requirements.txt
 delete mode 100644 templates/cgit-css.conf.j2
 create mode 100644 templates/cgit.conf.j2
 create mode 100644 templates/cgit.j2

diff --git a/README.rst b/README.rst
index c41da38..e6fcc14 100644
--- a/README.rst
+++ b/README.rst
@@ -10,14 +10,14 @@ Debian Jessie.
 
 Role Variables
 --------------
+::
 
-git_directory: The directory to be created and used for all git repositories
-served.
+    git_directory: /srv/git #The directory to be created and used for all git repositories served.
 
 Dependencies
 ------------
 
-None.
+The common role from https://www.shore.co.il/cgit/ansible-common/
 
 Example Playbook
 ----------------
@@ -49,6 +49,7 @@ Repository is located at: https://www.shore.co.il/cgit/ansible-cgit
 todo
 ----
 
-- File a bug in Debian for using the wrong location of rst2html.
 - Add pre-commit hooks.
 - Consider adding gitolite.
+- Output log (cgit?, apache) to syslog.
+- Collectd metrics.
diff --git a/meta/main.yml b/meta/main.yml
index 36fffcc..a8e0051 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,138 +1,15 @@
 ---
 galaxy_info:
   author: Nimrod Adar
-  description: cgit
+  description: cgit provisioning for Debian Jessie.
   company: Shore technologies
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
-  # Some suggested licenses:
-  # - BSD (default)
-  # - MIT
-  # - GPLv2
-  # - GPLv3
-  # - Apache
-  # - CC-BY
   license: MIT
   min_ansible_version: 1.2
-  #
-  # Below are all platforms currently available. Just uncomment
-  # the ones that apply to your role. If you don't see your
-  # platform on this list, let us know and we'll get it added!
-  #
   platforms:
-  #- name: EL
-  #  versions:
-  #  - all
-  #  - 5
-  #  - 6
-  #  - 7
-  #- name: GenericUNIX
-  #  versions:
-  #  - all
-  #  - any
-  #- name: Fedora
-  #  versions:
-  #  - all
-  #  - 16
-  #  - 17
-  #  - 18
-  #  - 19
-  #  - 20
-  #  - 21
-  #  - 22
-  #- name: Windows
-  #  versions:
-  #  - all
-  #  - 2012R2
-  #- name: SmartOS
-  #  versions:
-  #  - all
-  #  - any
-  #- name: opensuse
-  #  versions:
-  #  - all
-  #  - 12.1
-  #  - 12.2
-  #  - 12.3
-  #  - 13.1
-  #  - 13.2
-  #- name: Amazon
-  #  versions:
-  #  - all
-  #  - 2013.03
-  #  - 2013.09
-  #- name: GenericBSD
-  #  versions:
-  #  - all
-  #  - any
-  #- name: FreeBSD
-  #  versions:
-  #  - all
-  #  - 8.0
-  #  - 8.1
-  #  - 8.2
-  #  - 8.3
-  #  - 8.4
-  #  - 9.0
-  #  - 9.1
-  #  - 9.1
-  #  - 9.2
-  #- name: Ubuntu
-  #  versions:
-  #  - all
-  #  - lucid
-  #  - maverick
-  #  - natty
-  #  - oneiric
-  #  - precise
-  #  - quantal
-  #  - raring
-  #  - saucy
-  #  - trusty
-  #  - utopic
-  #  - vivid
-  #- name: SLES
-  #  versions:
-  #  - all
-  #  - 10SP3
-  #  - 10SP4
-  #  - 11
-  #  - 11SP1
-  #  - 11SP2
-  #  - 11SP3
-  #- name: GenericLinux
-  #  versions:
-  #  - all
-  #  - any
   - name: Debian
     versions:
-  #  - all
-  #  - etch
     - jessie
-  #  - lenny
-  #  - squeeze
-  #  - wheezy
-  #
-  # Below are all categories currently available. Just as with
-  # the platforms above, uncomment those that apply to your role.
-  #
-  #categories:
-  #- cloud
-  #- cloud:ec2
-  #- cloud:gce
-  #- cloud:rax
-  #- clustering
-  #- database
-  #- database:nosql
-  #- database:sql
-  #- development
-  #- monitoring
-  #- networking
-  #- packaging
-  #- system
-  #- web
+  categories:
+  - development
+  - system
 dependencies: []
-  # List your role dependencies here, one per line.
-  # Be sure to remove the '[]' above if you add dependencies
-  # to this list.
diff --git a/requirements.txt b/requirements.txt
deleted file mode 100644
index 416634f..0000000
--- a/requirements.txt
+++ /dev/null
@@ -1 +0,0 @@
-pre-commit
diff --git a/tasks/main.yml b/tasks/main.yml
index a579775..3ffec81 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 # tasks file for ansible-cgit
-- name: Install packages
+
+- name: apt install
   apt:
       name: '{{ item }}'
       state: present
@@ -11,21 +12,34 @@
       - git
       - apache2
       - python-docutils
+      - cron
 
-- name: Enable mod-cgi
-  notify:
-      - Restart Apache
+- name: Enable Apache modules
   apache2_module:
-      name: cgi
+      name: '{{ item }}'
       state: present
+  notify:
+      - Restart Apache
+  with_items:
+    - cgi
+    - ssl
+
+- name: Disable default Apache site
+  file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify:
+    - Restart Apache
 
-- name: Add configuration for cgit css
+- name: Add cgit Apache site
   template:
-      src: cgit-css.conf.j2
-      dest: /etc/apache2/conf-enabled/cgit-css.conf
-      owner: root
-      group: root
-      mode: '0644'
+    src: cgit.conf.j2
+    dest: /etc/apache2/sites-enabled/cgit.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart Apache
 
 - name: Create git repostories directory
   file:
@@ -35,7 +49,8 @@
       mode: '0777'
       state: directory
 
-- name: Add symlink for rst2html (hack)
+- name: Add symlink for rst2html (hack, fixed in Stretch)
+  when: ansible_distribution_major_version < 9
   file:
       src: /usr/share/docutils/scripts/python2/rst2html
       dest: /usr/local/bin/rst2html.py
@@ -91,3 +106,17 @@
       - line: 'readme=:install.txt'
       - line: 'readme=:INSTALL'
       - line: 'readme=:install'
+
+- name: Configure firewall
+  ufw:
+    rule: allow
+    port: 443
+    proto: tcp
+
+- name: Add daily backup job
+  template:
+    src: cgit.j2
+    dest: /etc/cron.daily/cgit
+    owner: root
+    group: root
+    mode: '0755'
diff --git a/templates/cgit-css.conf.j2 b/templates/cgit-css.conf.j2
deleted file mode 100644
index 32fa166..0000000
--- a/templates/cgit-css.conf.j2
+++ /dev/null
@@ -1 +0,0 @@
-Alias /cgit/css "/usr/share/cgit/"
diff --git a/templates/cgit.conf.j2 b/templates/cgit.conf.j2
new file mode 100644
index 0000000..502ccc0
--- /dev/null
+++ b/templates/cgit.conf.j2
@@ -0,0 +1,13 @@
+<VirtualHost _default_:443>
+    DocumentRoot            /usr/share/cgit
+    Alias                   /css "/usr/share/cgit"
+    SSLEngine               on
+    SSLCertificateFile      {{ internal_tls_cert }}
+    SSLCertificateKeyFile   {{ internal_tls_key }}
+    SSLProtocol             all -SSLv2 -SSLv3
+    SSLCipherSuite          !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+    SSLHonorCipherOrder     on
+    SSLCompression          off
+    ErrorLog                ${APACHE_LOG_DIR}/error.log
+    CustomLog               ${APACHE_LOG_DIR}/access.log combined
+</virtualHost>
diff --git a/templates/cgit.j2 b/templates/cgit.j2
new file mode 100644
index 0000000..aa8ef8a
--- /dev/null
+++ b/templates/cgit.j2
@@ -0,0 +1,3 @@
+#!/bin/sh -e
+cd {{ git_directory|dirname }}
+tar -cf /var/backups/git.tar.gz {{ git_directory|basename }}
-- 
GitLab