From c3e4b42c98dd433bbc2f90beeae102a4993c17e5 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Wed, 13 Sep 2023 04:18:16 -0400 Subject: gitolite: Consolidate config files into a single directory The repository is being reworked to decouple its roles as normalmode source and gitolite-admin config. The gitolite-admin repository will be entirely separate. So there is no need to keep the conf or local directories around where they are at. Signed-off-by: Malfurious --- conf/.gitconfig | 6 - conf/.gitolite.rc | 206 ---------------------------------- conf/gitolite.conf | 12 -- docker/sshd_config | 22 ---- gitolite/dotfiles/.gitconfig | 6 + gitolite/dotfiles/.gitolite.rc | 206 ++++++++++++++++++++++++++++++++++ gitolite/dotfiles/local/triggers/push | 18 +++ gitolite/gitolite.conf | 12 ++ gitolite/sshd_config | 22 ++++ local/triggers/push | 18 --- 10 files changed, 264 insertions(+), 264 deletions(-) delete mode 100644 conf/.gitconfig delete mode 100644 conf/.gitolite.rc delete mode 100644 conf/gitolite.conf delete mode 100644 docker/sshd_config create mode 100644 gitolite/dotfiles/.gitconfig create mode 100644 gitolite/dotfiles/.gitolite.rc create mode 100755 gitolite/dotfiles/local/triggers/push create mode 100644 gitolite/gitolite.conf create mode 100644 gitolite/sshd_config delete mode 100755 local/triggers/push diff --git a/conf/.gitconfig b/conf/.gitconfig deleted file mode 100644 index a998fec..0000000 --- a/conf/.gitconfig +++ /dev/null @@ -1,6 +0,0 @@ -[init] - defaultBranch = master -[user] - useConfigOnly = true - name = gitolite - email = gitolite diff --git a/conf/.gitolite.rc b/conf/.gitolite.rc deleted file mode 100644 index 25a5231..0000000 --- a/conf/.gitolite.rc +++ /dev/null @@ -1,206 +0,0 @@ -# configuration variables for gitolite - -# This file is in perl syntax. But you do NOT need to know perl to edit it -- -# just mind the commas, use single quotes unless you know what you're doing, -# and make sure the brackets and braces stay matched up! - -# (Tip: perl allows a comma after the last item in a list also!) - -# HELP for commands can be had by running the command with "-h". - -# HELP for all the other FEATURES can be found in the documentation (look for -# "list of non-core programs shipped with gitolite" in the master index) or -# directly in the corresponding source file. - -%RC = ( - - # ------------------------------------------------------------------ - - # default umask gives you perms of '0700'; see the rc file docs for - # how/why you might change this - UMASK => 0022, - - # look for "git-config" in the documentation - GIT_CONFIG_KEYS => 'gitweb.owner', - - # comment out if you don't need all the extra detail in the logfile - LOG_EXTRA => 1, - # logging options - # 1. leave this section as is for 'normal' gitolite logging (default) - # 2. uncomment this line to log ONLY to syslog: - # LOG_DEST => 'syslog', - # 3. uncomment this line to log to syslog and the normal gitolite log: - # LOG_DEST => 'syslog,normal', - # 4. prefixing "repo-log," to any of the above will **also** log just the - # update records to "gl-log" in the bare repo directory: - # LOG_DEST => 'repo-log,normal', - # LOG_DEST => 'repo-log,syslog', - # LOG_DEST => 'repo-log,syslog,normal', - # syslog 'facility': defaults to 'local0', uncomment if needed. For example: - # LOG_FACILITY => 'local4', - - # roles. add more roles (like MANAGER, TESTER, ...) here. - # WARNING: if you make changes to this hash, you MUST run 'gitolite - # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' - ROLES => { - CONTRIBUTORS => 1, - MAINTAINERS => 1, - }, - - # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! - # CACHE => 'Redis', - - # ------------------------------------------------------------------ - - # rc variables used by various features - - # the 'info' command prints this as additional info, if it is set - # SITE_INFO => 'Please see http://blahblah/gitolite for more help', - - # the CpuTime feature uses these - # display user, system, and elapsed times to user after each git operation - # DISPLAY_CPU_TIME => 1, - # display a warning if total CPU times (u, s, cu, cs) crosses this limit - # CPU_TIME_WARN_LIMIT => 0.1, - - # the Mirroring feature needs this - # HOSTNAME => "foo", - - # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! - # CACHE_TTL => 600, - - # ------------------------------------------------------------------ - - # suggested locations for site-local gitolite code (see cust.html) - - # this one is managed directly on the server - # LOCAL_CODE => "$ENV{HOME}/local", - - # or you can use this, which lets you put everything in a subdirectory - # called "local" in your gitolite-admin repo. For a SECURITY WARNING - # on this, see http://gitolite.com/gitolite/non-core.html#pushcode - LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", - - # ------------------------------------------------------------------ - - # List of commands and features to enable - - POST_GIT => [ - 'push', - ], - - ENABLE => [ - - # COMMANDS - - # These are the commands enabled by default - 'help', - 'desc', - 'info', - 'perms', - #'writable', - - # Uncomment or add new commands here. - # 'create', - # 'fork', - # 'mirror', - # 'readme', - # 'sskm', - 'D', - - # These FEATURES are enabled by default. - - # essential (unless you're using smart-http mode) - 'ssh-authkeys', - - # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' - 'git-config', - - # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out - #'daemon', - - # creates projects.list file; if you don't use gitweb, comment this out - #'gitweb', - - # These FEATURES are disabled by default; uncomment to enable. If you - # need to add new ones, ask on the mailing list :-) - - # user-visible behaviour - - # prevent wild repos auto-create on fetch/clone - # 'no-create-on-read', - # no auto-create at all (don't forget to enable the 'create' command!) - # 'no-auto-create', - - # access a repo by another (possibly legacy) name - # 'Alias', - - # give some users direct shell access. See documentation in - # sts.html for details on the following two choices. - # "Shell $ENV{HOME}/.gitolite.shell-users", - # 'Shell alice bob', - - # set default roles from lines like 'option default.roles-1 = ...', etc. - # 'set-default-roles', - - # show more detailed messages on deny - # 'expand-deny-messages', - - # show a message of the day - # 'Motd', - - # system admin stuff - - # enable mirroring (don't forget to set the HOSTNAME too!) - # 'Mirroring', - - # allow people to submit pub files with more than one key in them - # 'ssh-authkeys-split', - - # selective read control hack - # 'partial-copy', - - # manage local, gitolite-controlled, copies of read-only upstream repos - # 'upstream', - - # updates 'description' file instead of 'gitweb.description' config item - 'cgit', - - # allow repo-specific hooks to be added - # 'repo-specific-hooks', - - # performance, logging, monitoring... - - # be nice - # 'renice 10', - - # log CPU times (user, system, cumulative user, cumulative system) - # 'CpuTime', - - # syntactic_sugar for gitolite.conf and included files - - # allow backslash-escaped continuation lines in gitolite.conf - # 'continuation-lines', - - # create implicit user groups from directory names in keydir/ - # 'keysubdirs-as-groups', - - # allow simple line-oriented macros - # 'macros', - - # Kindergarten mode - - # disallow various things that sensible people shouldn't be doing anyway - # 'Kindergarten', - ], - -); - -# ------------------------------------------------------------------------------ -# per perl rules, this should be the last line in such a file: -1; - -# Local variables: -# mode: perl -# End: -# vim: set syn=perl: diff --git a/conf/gitolite.conf b/conf/gitolite.conf deleted file mode 100644 index a1602d0..0000000 --- a/conf/gitolite.conf +++ /dev/null @@ -1,12 +0,0 @@ -@administrators = admin - -repo gitolite-admin - RW+ = @administrators - -repo CREATOR/..* - C = @all - RW+ = CREATOR MAINTAINERS - RW+ contrib/USER/ = CONTRIBUTORS - R = @all - - config gitweb.owner = %GL_CREATOR diff --git a/docker/sshd_config b/docker/sshd_config deleted file mode 100644 index efc0c52..0000000 --- a/docker/sshd_config +++ /dev/null @@ -1,22 +0,0 @@ -Port 22 - -HostKey /hostkeys/etc/ssh/ssh_host_rsa_key -HostKey /hostkeys/etc/ssh/ssh_host_ecdsa_key -HostKey /hostkeys/etc/ssh/ssh_host_ed25519_key - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -UsePAM yes -PermitRootLogin no -PasswordAuthentication no -KbdInteractiveAuthentication no -AllowAgentForwarding no -AllowTcpForwarding no -GatewayPorts no -X11Forwarding no -PermitTTY no -PrintLastLog no -PermitUserEnvironment no -PermitTunnel no diff --git a/gitolite/dotfiles/.gitconfig b/gitolite/dotfiles/.gitconfig new file mode 100644 index 0000000..a998fec --- /dev/null +++ b/gitolite/dotfiles/.gitconfig @@ -0,0 +1,6 @@ +[init] + defaultBranch = master +[user] + useConfigOnly = true + name = gitolite + email = gitolite diff --git a/gitolite/dotfiles/.gitolite.rc b/gitolite/dotfiles/.gitolite.rc new file mode 100644 index 0000000..25a5231 --- /dev/null +++ b/gitolite/dotfiles/.gitolite.rc @@ -0,0 +1,206 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0022, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => 'gitweb.owner', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # logging options + # 1. leave this section as is for 'normal' gitolite logging (default) + # 2. uncomment this line to log ONLY to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + # 4. prefixing "repo-log," to any of the above will **also** log just the + # update records to "gl-log" in the bare repo directory: + # LOG_DEST => 'repo-log,normal', + # LOG_DEST => 'repo-log,syslog', + # LOG_DEST => 'repo-log,syslog,normal', + # syslog 'facility': defaults to 'local0', uncomment if needed. For example: + # LOG_FACILITY => 'local4', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + CONTRIBUTORS => 1, + MAINTAINERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + POST_GIT => [ + 'push', + ], + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + #'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + #'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + #'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/gitolite/dotfiles/local/triggers/push b/gitolite/dotfiles/local/triggers/push new file mode 100755 index 0000000..7a3cb56 --- /dev/null +++ b/gitolite/dotfiles/local/triggers/push @@ -0,0 +1,18 @@ +#!/bin/sh + +[ "$4" = "W" ] || exit 0 + +cd "$GL_REPO_BASE/$2.git" +head=$(git symbolic-ref HEAD) + +if ! [ -f "$head" ]; then + set -- refs/heads/* + if [ "$#" -eq 1 ]; then + git symbolic-ref HEAD "$1" + echo "NOTICE: Default branch set to $1" >&2 + else + echo "WARNING: The default branch is $head, but no such branch exists" >&2 + fi +fi + +git log -1 --all --date-order --format=%ci >agefile diff --git a/gitolite/gitolite.conf b/gitolite/gitolite.conf new file mode 100644 index 0000000..a1602d0 --- /dev/null +++ b/gitolite/gitolite.conf @@ -0,0 +1,12 @@ +@administrators = admin + +repo gitolite-admin + RW+ = @administrators + +repo CREATOR/..* + C = @all + RW+ = CREATOR MAINTAINERS + RW+ contrib/USER/ = CONTRIBUTORS + R = @all + + config gitweb.owner = %GL_CREATOR diff --git a/gitolite/sshd_config b/gitolite/sshd_config new file mode 100644 index 0000000..efc0c52 --- /dev/null +++ b/gitolite/sshd_config @@ -0,0 +1,22 @@ +Port 22 + +HostKey /hostkeys/etc/ssh/ssh_host_rsa_key +HostKey /hostkeys/etc/ssh/ssh_host_ecdsa_key +HostKey /hostkeys/etc/ssh/ssh_host_ed25519_key + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +UsePAM yes +PermitRootLogin no +PasswordAuthentication no +KbdInteractiveAuthentication no +AllowAgentForwarding no +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +PermitTTY no +PrintLastLog no +PermitUserEnvironment no +PermitTunnel no diff --git a/local/triggers/push b/local/triggers/push deleted file mode 100755 index 7a3cb56..0000000 --- a/local/triggers/push +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -[ "$4" = "W" ] || exit 0 - -cd "$GL_REPO_BASE/$2.git" -head=$(git symbolic-ref HEAD) - -if ! [ -f "$head" ]; then - set -- refs/heads/* - if [ "$#" -eq 1 ]; then - git symbolic-ref HEAD "$1" - echo "NOTICE: Default branch set to $1" >&2 - else - echo "WARNING: The default branch is $head, but no such branch exists" >&2 - fi -fi - -git log -1 --all --date-order --format=%ci >agefile -- cgit v1.2.3 From 90858ead45f6702bdde31671246ad9c56fc7803e Mon Sep 17 00:00:00 2001 From: Malfurious Date: Fri, 15 Sep 2023 06:02:18 -0400 Subject: gitolite: Refactor Dockerfile for debian base Building from debian:latest will make for a smaller image, a faster build, and will make the image more accessible to a wider variety of platforms. The effort started by 19e7dc8932c is expanded upon such that the image cleanly bakes in all static config files into the image - ie. the entire hosting user's home directory, except for the repositories directory. This removal of config management from the gitolite-admin repo is part of the reason why it is being decoupled from this repo. The gitolite image will now never utilize a user pubkey during build. Instead, it can be invoked with an alternative entrypoint to interactively configure a new install. Signed-off-by: Malfurious --- docker/Dockerfile.gitolite | 25 ----------------------- docker/gitolite_init.sh | 6 ------ gitolite/Dockerfile | 51 ++++++++++++++++++++++++++++++++++++++++++++++ gitolite/entrypoint.sh | 15 ++++++++++++++ 4 files changed, 66 insertions(+), 31 deletions(-) delete mode 100644 docker/Dockerfile.gitolite delete mode 100755 docker/gitolite_init.sh create mode 100644 gitolite/Dockerfile create mode 100755 gitolite/entrypoint.sh diff --git a/docker/Dockerfile.gitolite b/docker/Dockerfile.gitolite deleted file mode 100644 index d2ca1ae..0000000 --- a/docker/Dockerfile.gitolite +++ /dev/null @@ -1,25 +0,0 @@ -# https://gitolite.com/gitolite/index.html -# https://github.com/sitaramc/gitolite -# https://wiki.archlinux.org/title/Gitolite - -FROM archlinux - -# The gitolite package implies git, openssh, and creates the host user -RUN pacman-key --init -RUN pacman -Syu --needed --noconfirm gitolite - -# Initialize the gitolite datastore -COPY . /app -RUN if [ -f "/app/admin.pub" ]; \ - then runuser -u gitolite -- /app/gitolite_init.sh "/app/admin.pub"; fi -VOLUME /var/lib/gitolite - -# sshd host keys are stored in a volume so that rebuilding/updating the -# image doesn't break user trust -COPY sshd_config /etc/ssh/ -RUN mkdir -p /hostkeys/etc/ssh/ -RUN ssh-keygen -A -f /hostkeys -VOLUME /hostkeys - -EXPOSE 22 -CMD ["/usr/bin/sshd", "-D"] diff --git a/docker/gitolite_init.sh b/docker/gitolite_init.sh deleted file mode 100755 index bd70222..0000000 --- a/docker/gitolite_init.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -gitolite setup -pk "$1" -chmod 755 /var/lib/gitolite -chmod -R 755 /var/lib/gitolite/repositories -ln -sf .gitolite/conf/.gitolite.rc /var/lib/gitolite -ln -sf .gitolite/conf/.gitconfig /var/lib/gitolite diff --git a/gitolite/Dockerfile b/gitolite/Dockerfile new file mode 100644 index 0000000..e3ff032 --- /dev/null +++ b/gitolite/Dockerfile @@ -0,0 +1,51 @@ +# https://gitolite.com/gitolite/index.html +# https://github.com/sitaramc/gitolite + +FROM debian + +ENV DEBIAN_FRONTEND=noninteractive + +# Install SSH and gitolite packages +RUN apt update \ + && apt full-upgrade --yes \ + && apt install --yes openssh-server gitolite3 \ + && apt clean + +# Create git user +RUN useradd \ + --uid 2000 \ + --home-dir /git \ + --skel /dev/null \ + --create-home \ + git + +# Install files +COPY --chown=git:git dotfiles /git/ +COPY sshd_config /etc/ssh/ +COPY gitolite.conf entrypoint.sh /app/ + +# Setup SSH keys +# We manually generate and store host keys in a separate volume, so that +# rebuilding the image doesn't break user trust. A key pair is generated for +# the root user for gitolite file initialization, so we don't need a file +# supplied by the user every time they update the image. +RUN mkdir -p /hostkeys/etc/ssh /run/sshd \ + && ssh-keygen -A -f /hostkeys \ + && ssh-keygen -f /root/.ssh/id_rsa -N "" \ + && cp /root/.ssh/id_rsa* /app + +# Patch `gitolite setup` script +# The acting gitolite.conf file is managed by the gitolite-admin repository. In +# order to install our default version of the file, we need to patch its contents +# into the Setup.pm file in the gitolite installation. This helps maintain +# separation of normalmode and gitolite-admin version control. +RUN grep -B1000000 __DATA__ /usr/share/gitolite3/lib/Gitolite/Setup.pm >/app/Setup.pm \ + && cat /app/gitolite.conf >>/app/Setup.pm \ + && cp /app/Setup.pm /usr/share/gitolite3/lib/Gitolite/Setup.pm + +# Initialize gitolite files +RUN su git -c "gitolite setup -pk /app/id_rsa.pub" \ + && chmod -R 755 /git/repositories + +EXPOSE 22 +CMD ["/app/entrypoint.sh"] diff --git a/gitolite/entrypoint.sh b/gitolite/entrypoint.sh new file mode 100755 index 0000000..613a968 --- /dev/null +++ b/gitolite/entrypoint.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# On startup of the gitolite container, force a receive of the gitolite-admin +# files from the persistent volume, to cause the user's real pubkeys and config +# files to take effect. +main() { + sleep 5 + ssh -o StrictHostKeyChecking=accept-new git@localhost info # cache hostkey + git clone --bare git@localhost:gitolite-admin.git /tmp/gladmin.git + git --git-dir=/tmp/gladmin.git push origin :master # remove rmt master + git --git-dir=/tmp/gladmin.git push origin master # replace rmt master +} + +main & +/usr/sbin/sshd -D -- cgit v1.2.3 From 9543016ffb3a507829d980f0abc37725a211540b Mon Sep 17 00:00:00 2001 From: Malfurious Date: Wed, 13 Sep 2023 04:26:31 -0400 Subject: gitolite: Correct site-local code location Per the previous commit, site-local code is now to be located directly in the git user's home directory, as static content in the docker image. Correct this setting in the RC file. Signed-off-by: Malfurious --- gitolite/dotfiles/.gitolite.rc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gitolite/dotfiles/.gitolite.rc b/gitolite/dotfiles/.gitolite.rc index 25a5231..eefc022 100644 --- a/gitolite/dotfiles/.gitolite.rc +++ b/gitolite/dotfiles/.gitolite.rc @@ -74,12 +74,12 @@ # suggested locations for site-local gitolite code (see cust.html) # this one is managed directly on the server - # LOCAL_CODE => "$ENV{HOME}/local", + LOCAL_CODE => "$ENV{HOME}/local", # or you can use this, which lets you put everything in a subdirectory # called "local" in your gitolite-admin repo. For a SECURITY WARNING # on this, see http://gitolite.com/gitolite/non-core.html#pushcode - LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", # ------------------------------------------------------------------ -- cgit v1.2.3 From a9c483cad66446d3569f0666c55bed6263f75162 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Thu, 14 Sep 2023 14:34:48 -0400 Subject: gitolite: Remove hard-coded admin username The default gitolite.conf file is now patched in to the gitolite installation in the docker image. This is so that the intended version of the file is used in the gitolite-admin repo from the very beginning. This is made necessary by the decoupling of repo purposes. Instead of using (literal) 'admin', '%ADMIN' will be substituted with the actual admin username during `gitolite setup`. Signed-off-by: Malfurious --- gitolite/gitolite.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gitolite/gitolite.conf b/gitolite/gitolite.conf index a1602d0..89eb558 100644 --- a/gitolite/gitolite.conf +++ b/gitolite/gitolite.conf @@ -1,4 +1,4 @@ -@administrators = admin +@administrators = %ADMIN repo gitolite-admin RW+ = @administrators -- cgit v1.2.3 From 5756572b09a78541d9d0d9fc6b21a6c006a99894 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Fri, 15 Sep 2023 05:48:40 -0400 Subject: gitolite: Allow users to delete remote HEAD branches This allows the branch considered the repo default to be deleted via push. I'm not totally opposed to allowing this, even though it's not entirely necessary. However, the ability to do this is now required by the docker image entrypoint script. Signed-off-by: Malfurious --- gitolite/dotfiles/.gitconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gitolite/dotfiles/.gitconfig b/gitolite/dotfiles/.gitconfig index a998fec..6e33a9e 100644 --- a/gitolite/dotfiles/.gitconfig +++ b/gitolite/dotfiles/.gitconfig @@ -4,3 +4,5 @@ useConfigOnly = true name = gitolite email = gitolite +[receive] + denyDeleteCurrent = warn -- cgit v1.2.3 From c1db5d6e6557ac5f3b9d408eb2de888bf096a370 Mon Sep 17 00:00:00 2001 From: Malfurious Date: Fri, 15 Sep 2023 08:49:25 -0400 Subject: gitolite: Add admin initialization script Per docker image changes, this serves as an alternative entrypoint for performing initial pubkey configuration. Signed-off-by: Malfurious --- gitolite/Dockerfile | 2 +- gitolite/initialize.sh | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100755 gitolite/initialize.sh diff --git a/gitolite/Dockerfile b/gitolite/Dockerfile index e3ff032..5d34312 100644 --- a/gitolite/Dockerfile +++ b/gitolite/Dockerfile @@ -22,7 +22,7 @@ RUN useradd \ # Install files COPY --chown=git:git dotfiles /git/ COPY sshd_config /etc/ssh/ -COPY gitolite.conf entrypoint.sh /app/ +COPY gitolite.conf entrypoint.sh initialize.sh /app/ # Setup SSH keys # We manually generate and store host keys in a separate volume, so that diff --git a/gitolite/initialize.sh b/gitolite/initialize.sh new file mode 100755 index 0000000..6806acd --- /dev/null +++ b/gitolite/initialize.sh @@ -0,0 +1,16 @@ +#!/bin/bash -e + +# This script is manually invoked when first setting up a site to initialize the +# gitolite repositories database and set up a user-supplied pubkey for initial +# administrator access. + +echo -e "This will erase data in the gitolite repository volume!" +echo -e "One SSH pubkey will be used as the initial administrator of the new install." +echo -e "\nKey selected: $1" +cat "/tmp/$1" +echo -e "\nPress Enter/Return to continue..." + +read -r confirm + +rm -rf /git/.gitolite /git/repositories/* +su git -c "gitolite setup -pk /tmp/$1" -- cgit v1.2.3