From: Matt Birkholz Date: Fri, 2 Jan 2026 21:37:39 +0000 (-0700) Subject: Move git-daemon config out of /var/www/. Use ~gitd~, a normal user. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=19e4449775b938fb2d6dab4e7aa4507489424dbe;p=Network.git Move git-daemon config out of /var/www/. Use ~gitd~, a normal user. Keep git-daemon config in /home/gitd/. Punt system user ~gitdaemon~. --- diff --git a/README.org b/README.org index ab4700e..ed5c6fc 100644 --- a/README.org +++ b/README.org @@ -195,28 +195,27 @@ User repositories are enabled by adding a ~--user-path~ option /and/ specifying an empty whitelist (i.e., no directories listed on the command line). -The ~git daemon~ is run as an unprivileged system user: ~gitdaemon~. -Thus it has access to anything world readable. However ~git~ must be -willing to forgive the fact that ~gitdaemon~ does not /own/ any of the -repositories it is serving. To accomplish this, ~gitdaemon~ gets a -home directory, =/var/www/git/daemon/=, in which is installed a -configuration just like that installed by ~git config --global --add -safe.directory \*~. +The ~git daemon~ is run as an unprivileged system user: ~gitd~. Thus +it has access to anything world readable. However ~git~ must be +willing to forgive the fact that ~gitd~ does not /own/ any of the +repositories it is serving. To accomplish this, ~gitd~ gets a home +directory, =/home/gitd/=, in which is installed a =.gitconfig= created +by a ~git config --global --add safe.directory \*~ command. The code below is included in both Front and Core configurations, -which should be nearly identical for testing purposes. Rather than +which should be (nearly) identical for testing purposes. Rather than factor out small roles like ~abbey-git-server~, Emacs Org Mode's Noweb support does the duplication, by multiple references to code blocks -like ~git-tasks~ and ~git-handlers~. +like ~gitd-tasks~ and ~gitd-handlers~. #+CAPTION: [[file:roles_t/abbey-front/tasks/main.yml][=roles_t/abbey-front/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/abbey-front/tasks/main.yml :noweb no-export -<> +<> #+END_SRC -#+NAME: git-tasks -#+CAPTION: ~git-tasks~ +#+NAME: gitd-tasks +#+CAPTION: ~gitd-tasks~ #+BEGIN_SRC conf - name: Install git. become: yes @@ -230,34 +229,23 @@ like ~git-tasks~ and ~git-handlers~. group: staff mode: u=rwx,g=srwx,o=rx -- name: Create user gitdaemon. +- name: Create user gitd. become: yes user: - name: gitdaemon - group: gitdaemon - system: true + name: gitd password: "!" - home: /var/www/git/daemon + home: /home/gitd shell: /usr/bin/git-shell -- name: Create /var/www/git/daemon/. - become: yes - file: - path: /var/www/git/daemon - state: directory - user: gitdaemon - group: gitdaemon - mode: u=rwx,g=rx,o=rx - -- name: Create /var/www/git/daemon/.gitconfig. +- name: Create /home/gitd/.gitconfig. become: yes copy: content: | [safe] directory = * - dest: /var/www/git/daemon/.gitconfig - user: gitdaemon - group: gitdaemon + dest: /home/gitd/.gitconfig + owner: gitd + group: gitd mode: u=rw,g=r,o=r - name: Configure git-daemon. @@ -281,8 +269,8 @@ like ~git-tasks~ and ~git-handlers~. StandardError=journal SyslogIdentifier=git-daemon - User=gitdaemon - Group=gitdaemon + User=gitd + Group=gitd [Install] WantedBy=multi-user.target @@ -301,11 +289,11 @@ like ~git-tasks~ and ~git-handlers~. #+CAPTION: [[file:roles_t/abbey-front/handlers/main.yml][=roles_t/abbey-front/handlers/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/abbey-front/handlers/main.yml :noweb no-export -<> +<> #+END_SRC -#+NAME: git-handlers -#+CAPTION: ~git-handlers~ +#+NAME: gitd-handlers +#+CAPTION: ~gitd-handlers~ #+BEGIN_SRC conf - name: Reload systemd. @@ -992,27 +980,28 @@ e.g. ~mythtv@mythtv.birchwood.private~, locally.) ** Configure Git Daemon on Core These tasks are identical to those executed on Front, for similar Git -services on Front and Core. See [[Configure Git Daemon on Front]] for -more information. +services on Front and Core. This allows changes to be tested on Core +before they are pushed to Front. See [[Configure Git Daemon on Front]] +for more information. #+CAPTION: [[file:roles_t/abbey-core/tasks/main.yml][=roles_t/abbey-core/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml :noweb no-export -<> +<> #+END_SRC #+CAPTION: [[file:roles_t/abbey-core/handlers/main.yml][=roles_t/abbey-core/handlers/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/abbey-core/handlers/main.yml :noweb no-export -<> +<> #+END_SRC ** Configure Gitweb on Core -The tasks that configure Apache to run Gitweb on Core should be -(nearly) identical to those on Front, so that the Gitweb service on -Core provides a preview of the service on Front. See [[*Configure Gitweb on Front][Configure Gitweb -on Front]] for more information. +These tasks are identical to those executed on Front, for similar +Gitweb services on Front and Core. This allows changes to be tested +on Core before they are pushed to Front. See [[*Configure Gitweb on Front][Configure Gitweb on +Front]] for more information. #+CAPTION: [[file:roles_t/abbey-core/tasks/main.yml][=roles_t/abbey-core/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/abbey-core/tasks/main.yml :noweb no-export diff --git a/roles_t/abbey-core/tasks/main.yml b/roles_t/abbey-core/tasks/main.yml index 2df0800..58fdee3 100644 --- a/roles_t/abbey-core/tasks/main.yml +++ b/roles_t/abbey-core/tasks/main.yml @@ -32,34 +32,23 @@ group: staff mode: u=rwx,g=srwx,o=rx -- name: Create user gitdaemon. +- name: Create user gitd. become: yes user: - name: gitdaemon - group: gitdaemon - system: true + name: gitd password: "!" - home: /var/www/git/daemon + home: /home/gitd shell: /usr/bin/git-shell -- name: Create /var/www/git/daemon/. - become: yes - file: - path: /var/www/git/daemon - state: directory - user: gitdaemon - group: gitdaemon - mode: u=rwx,g=rx,o=rx - -- name: Create /var/www/git/daemon/.gitconfig. +- name: Create /home/gitd/.gitconfig. become: yes copy: content: | [safe] directory = * - dest: /var/www/git/daemon/.gitconfig - user: gitdaemon - group: gitdaemon + dest: /home/gitd/.gitconfig + owner: gitd + group: gitd mode: u=rw,g=r,o=r - name: Configure git-daemon. @@ -83,8 +72,8 @@ StandardError=journal SyslogIdentifier=git-daemon - User=gitdaemon - Group=gitdaemon + User=gitd + Group=gitd [Install] WantedBy=multi-user.target diff --git a/roles_t/abbey-front/tasks/main.yml b/roles_t/abbey-front/tasks/main.yml index e0886fc..05ed747 100644 --- a/roles_t/abbey-front/tasks/main.yml +++ b/roles_t/abbey-front/tasks/main.yml @@ -31,34 +31,23 @@ group: staff mode: u=rwx,g=srwx,o=rx -- name: Create user gitdaemon. +- name: Create user gitd. become: yes user: - name: gitdaemon - group: gitdaemon - system: true + name: gitd password: "!" - home: /var/www/git/daemon + home: /home/gitd shell: /usr/bin/git-shell -- name: Create /var/www/git/daemon/. - become: yes - file: - path: /var/www/git/daemon - state: directory - user: gitdaemon - group: gitdaemon - mode: u=rwx,g=rx,o=rx - -- name: Create /var/www/git/daemon/.gitconfig. +- name: Create /home/gitd/.gitconfig. become: yes copy: content: | [safe] directory = * - dest: /var/www/git/daemon/.gitconfig - user: gitdaemon - group: gitdaemon + dest: /home/gitd/.gitconfig + owner: gitd + group: gitd mode: u=rw,g=r,o=r - name: Configure git-daemon. @@ -82,8 +71,8 @@ StandardError=journal SyslogIdentifier=git-daemon - User=gitdaemon - Group=gitdaemon + User=gitd + Group=gitd [Install] WantedBy=multi-user.target