From 52ea1d2b050b9497255f62c9e3edfa238e1aa484 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Tue, 30 Dec 2025 20:07:14 -0700 Subject: [PATCH] Replace the git-daemon-sysvinit package, not available in Debian 13. --- README.org | 128 ++++++++++++++++++-------- roles_t/abbey-core/handlers/main.yml | 6 +- roles_t/abbey-core/tasks/main.yml | 88 ++++++++++++++---- roles_t/abbey-front/handlers/main.yml | 6 +- roles_t/abbey-front/tasks/main.yml | 88 ++++++++++++++---- 5 files changed, 237 insertions(+), 79 deletions(-) diff --git a/README.org b/README.org index facceca..c02bbc0 100644 --- a/README.org +++ b/README.org @@ -159,7 +159,7 @@ from there, forwarding ~sysadm~ to a real person. ** Configure Git Daemon on Front -The abbey publishes member Git repositories with ~git-daemon~. If +The abbey publishes member Git repositories with ~git daemon~. If Dick (a member of A Small Institute) builds a Foo project Git repository in =~/foo/=, he can publish it to the campus by symbolically linking its =.git/= into =~/Public/Git/= on Core. If the @@ -186,20 +186,22 @@ There are no regular, system backups on Front. : rsync -av --del small.institute.org:Public/foo/ ~/Public/foo/ -With SystemD and the ~git-daemon-sysvinit~ package installed, SystemD -supervises a ~git-daemon~ service unit launched with -~/etc/init.d/git-daemon~. The old SysV ~init~ script gets its -configuration from the customary =/etc/default/git-daemon= file. The -script then constructs the appropriate ~git-daemon~ command. The -~git-daemon(1)~ manual page explains the command options in detail. -As explained in =/usr/share/doc/git-daemon-sysvinit/README.Debian=, -the service must be enabled by setting ~GIT_DAEMON_ENABLE~ to ~true~. -The base path is also changed to agree with =gitweb.cgi=. - -User repositories are enabled by adding a ~user-path~ option /and/ -disabling the default whitelist. To specify an empty whitelist, the -default (a list of one directory: =/var/lib/git=) must be avoided by -setting ~GIT_DAEMON_DIRECTORY~ to a blank (not empty) string. +The ~git daemon~ is run by SystemD per the =git-daemon.service= file. +The ~git-daemon(1)~ manual page explains the options in detail. The +~--base-path~ option should agree with ~$projectroot~ in the +=/etc/gitweb.conf= file installed [[apache-gitweb-tasks][here]]. + +User repositories are enabled by adding a ~--user-path~ option /and/ +specifying an empty whitelist (i.e., no directories listed on the +command line). + +The ~git daemon~ is run as an unprivileged system user: ~gitdaemon~. +Thus it has access to anything world readable. However ~git~ must be +willing to forgive the fact that ~gitdaemon~ does not /own/ any of the +repositories it is serving. To accomplish this, ~gitdaemon~ gets a +home directory, =/var/www/git/daemon/=, in which is installed a +configuration just like that installed by ~git config --global --add +safe.directory \*~. The code below is included in both Front and Core configurations, which should be nearly identical for testing purposes. Rather than @@ -216,26 +218,9 @@ like ~git-tasks~ and ~git-handlers~. #+NAME: git-tasks #+CAPTION: ~git-tasks~ #+BEGIN_SRC conf -- name: Install git daemon. +- name: Install git. become: yes - apt: pkg=git-daemon-sysvinit - -- name: Configure git daemon. - become: yes - lineinfile: - path: /etc/default/git-daemon - regexp: "{{ item.patt }}" - line: "{{ item.line }}" - loop: - - patt: '^GIT_DAEMON_ENABLE *=' - line: 'GIT_DAEMON_ENABLE=true' - - patt: '^GIT_DAEMON_OPTIONS *=' - line: 'GIT_DAEMON_OPTIONS="--user-path=Public/Git"' - - patt: '^GIT_DAEMON_BASE_PATH *=' - line: 'GIT_DAEMON_BASE_PATH="/var/www/git"' - - patt: '^GIT_DAEMON_DIRECTORY *=' - line: 'GIT_DAEMON_DIRECTORY=" "' - notify: Restart git daemon. + apt: pkg=git - name: Create /var/www/git/. become: yes @@ -244,6 +229,73 @@ like ~git-tasks~ and ~git-handlers~. state: directory group: staff mode: u=rwx,g=srwx,o=rx + +- name: Create user gitdaemon. + become: yes + user: + name: gitdaemon + group: gitdaemon + system: true + password: "!" + home: /var/www/git/daemon + shell: /usr/bin/git-shell + +- name: Create /var/www/git/daemon/. + become: yes + file: + path: /var/www/git/daemon + state: directory + user: gitdaemon + group: gitdaemon + mode: u=rwx,g=rx,o=rx + +- name: Create /var/www/git/daemon/.gitconfig. + become: yes + copy: + content: | + [safe] + directory = * + dest: /var/www/git/daemon/.gitconfig + user: gitdaemon + group: gitdaemon + mode: u=rw,g=r,o=r + +- name: Configure git-daemon. + become: yes + copy: + content: | + [Unit] + Description=Git Daemon + After=network.target + + [Service] + ExecStart=/usr/bin/git daemon \ + --reuseaddr --verbose \ + --user-path=Public/Git \ + --base-path=/var/www/git + + Restart=always + RestartSec=5 + + StandardOutput=journal + StandardError=journal + SyslogIdentifier=git-daemon + + User=gitdaemon + Group=gitdaemon + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/git-daemon.service + notify: + - Reload systemd. + - Restart git-daemon. + +- name: Enable git-daemon. + become: yes + systemd: + service: git-daemon + enabled: yes #+END_SRC #+CAPTION: [[file:roles_t/abbey-front/handlers/main.yml][=roles_t/abbey-front/handlers/main.yml=]] @@ -256,9 +308,11 @@ like ~git-tasks~ and ~git-handlers~. #+CAPTION: ~git-handlers~ #+BEGIN_SRC conf -- name: Restart git daemon. +- name: Restart git-daemon. become: yes - command: systemctl restart git-daemon + systemd: + service: git-daemon + state: restarted tags: actualizer #+END_SRC @@ -278,7 +332,7 @@ page, the second ~RewriteRule~ specifies the root directory of the user's public Git repositories via the ~GITWEB_PROJECTROOT~ environment variable. It makes ~http://www/~dick/git~ run Gitweb with the project root =~dick/Public/Git/=, the same directory -the ~git-daemon~ makes available. The first ~RewriteRule~ directs +the ~git daemon~ makes available. The first ~RewriteRule~ directs URLs with no user name to the default. Thus ~http://www/git~ lists the repositories found in =/var/www/git/=. diff --git a/roles_t/abbey-core/handlers/main.yml b/roles_t/abbey-core/handlers/main.yml index 0401ac9..1612e5f 100644 --- a/roles_t/abbey-core/handlers/main.yml +++ b/roles_t/abbey-core/handlers/main.yml @@ -4,9 +4,11 @@ command: newaliases tags: actualizer -- name: Restart git daemon. +- name: Restart git-daemon. become: yes - command: systemctl restart git-daemon + systemd: + service: git-daemon + state: restarted tags: actualizer - name: Restart Apache2. diff --git a/roles_t/abbey-core/tasks/main.yml b/roles_t/abbey-core/tasks/main.yml index 7ffca9e..788679e 100644 --- a/roles_t/abbey-core/tasks/main.yml +++ b/roles_t/abbey-core/tasks/main.yml @@ -20,26 +20,9 @@ marker: "# {mark} ABBEY MANAGED BLOCK" notify: New aliases. -- name: Install git daemon. +- name: Install git. become: yes - apt: pkg=git-daemon-sysvinit - -- name: Configure git daemon. - become: yes - lineinfile: - path: /etc/default/git-daemon - regexp: "{{ item.patt }}" - line: "{{ item.line }}" - loop: - - patt: '^GIT_DAEMON_ENABLE *=' - line: 'GIT_DAEMON_ENABLE=true' - - patt: '^GIT_DAEMON_OPTIONS *=' - line: 'GIT_DAEMON_OPTIONS="--user-path=Public/Git"' - - patt: '^GIT_DAEMON_BASE_PATH *=' - line: 'GIT_DAEMON_BASE_PATH="/var/www/git"' - - patt: '^GIT_DAEMON_DIRECTORY *=' - line: 'GIT_DAEMON_DIRECTORY=" "' - notify: Restart git daemon. + apt: pkg=git - name: Create /var/www/git/. become: yes @@ -49,6 +32,73 @@ group: staff mode: u=rwx,g=srwx,o=rx +- name: Create user gitdaemon. + become: yes + user: + name: gitdaemon + group: gitdaemon + system: true + password: "!" + home: /var/www/git/daemon + shell: /usr/bin/git-shell + +- name: Create /var/www/git/daemon/. + become: yes + file: + path: /var/www/git/daemon + state: directory + user: gitdaemon + group: gitdaemon + mode: u=rwx,g=rx,o=rx + +- name: Create /var/www/git/daemon/.gitconfig. + become: yes + copy: + content: | + [safe] + directory = * + dest: /var/www/git/daemon/.gitconfig + user: gitdaemon + group: gitdaemon + mode: u=rw,g=r,o=r + +- name: Configure git-daemon. + become: yes + copy: + content: | + [Unit] + Description=Git Daemon + After=network.target + + [Service] + ExecStart=/usr/bin/git daemon \ + --reuseaddr --verbose \ + --user-path=Public/Git \ + --base-path=/var/www/git + + Restart=always + RestartSec=5 + + StandardOutput=journal + StandardError=journal + SyslogIdentifier=git-daemon + + User=gitdaemon + Group=gitdaemon + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/git-daemon.service + notify: + - Reload systemd. + - Restart git-daemon. + +- name: Enable git-daemon. + become: yes + systemd: + service: git-daemon + enabled: yes + - name: Enable Apache2 rewrite module for Gitweb. become: yes apache2_module: name=rewrite diff --git a/roles_t/abbey-front/handlers/main.yml b/roles_t/abbey-front/handlers/main.yml index f866abe..41e84cd 100644 --- a/roles_t/abbey-front/handlers/main.yml +++ b/roles_t/abbey-front/handlers/main.yml @@ -4,9 +4,11 @@ command: newaliases tags: actualizer -- name: Restart git daemon. +- name: Restart git-daemon. become: yes - command: systemctl restart git-daemon + systemd: + service: git-daemon + state: restarted tags: actualizer - name: Restart Apache2. diff --git a/roles_t/abbey-front/tasks/main.yml b/roles_t/abbey-front/tasks/main.yml index ca31e82..e0886fc 100644 --- a/roles_t/abbey-front/tasks/main.yml +++ b/roles_t/abbey-front/tasks/main.yml @@ -19,26 +19,9 @@ marker: "# {mark} ABBEY MANAGED BLOCK" notify: New aliases. -- name: Install git daemon. +- name: Install git. become: yes - apt: pkg=git-daemon-sysvinit - -- name: Configure git daemon. - become: yes - lineinfile: - path: /etc/default/git-daemon - regexp: "{{ item.patt }}" - line: "{{ item.line }}" - loop: - - patt: '^GIT_DAEMON_ENABLE *=' - line: 'GIT_DAEMON_ENABLE=true' - - patt: '^GIT_DAEMON_OPTIONS *=' - line: 'GIT_DAEMON_OPTIONS="--user-path=Public/Git"' - - patt: '^GIT_DAEMON_BASE_PATH *=' - line: 'GIT_DAEMON_BASE_PATH="/var/www/git"' - - patt: '^GIT_DAEMON_DIRECTORY *=' - line: 'GIT_DAEMON_DIRECTORY=" "' - notify: Restart git daemon. + apt: pkg=git - name: Create /var/www/git/. become: yes @@ -48,6 +31,73 @@ group: staff mode: u=rwx,g=srwx,o=rx +- name: Create user gitdaemon. + become: yes + user: + name: gitdaemon + group: gitdaemon + system: true + password: "!" + home: /var/www/git/daemon + shell: /usr/bin/git-shell + +- name: Create /var/www/git/daemon/. + become: yes + file: + path: /var/www/git/daemon + state: directory + user: gitdaemon + group: gitdaemon + mode: u=rwx,g=rx,o=rx + +- name: Create /var/www/git/daemon/.gitconfig. + become: yes + copy: + content: | + [safe] + directory = * + dest: /var/www/git/daemon/.gitconfig + user: gitdaemon + group: gitdaemon + mode: u=rw,g=r,o=r + +- name: Configure git-daemon. + become: yes + copy: + content: | + [Unit] + Description=Git Daemon + After=network.target + + [Service] + ExecStart=/usr/bin/git daemon \ + --reuseaddr --verbose \ + --user-path=Public/Git \ + --base-path=/var/www/git + + Restart=always + RestartSec=5 + + StandardOutput=journal + StandardError=journal + SyslogIdentifier=git-daemon + + User=gitdaemon + Group=gitdaemon + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/git-daemon.service + notify: + - Reload systemd. + - Restart git-daemon. + +- name: Enable git-daemon. + become: yes + systemd: + service: git-daemon + enabled: yes + - name: Enable Apache2 rewrite module for Gitweb. become: yes apache2_module: name=rewrite -- 2.47.3