installation of riaf¶
requirement¶
To install riaf on a system there are a few requirements to fulfill.
First of all you need a server:
running Linux (e. g. Ubuntu 20.04)
fully qualified domain name
accessible by ssh and https (firewall setting)
I used a virtual machine from a provider in the internet.
zfs data storage¶
If you want to store the data on a zfs file system you should prepare /data
as a zfs file system and adapt it after installation and configuration.
You can use the ansible playbook play_install_zfs.yaml in this repository to create /data as a zfs file system pool, e. g.:
ansible-playbook --ask-vault-pass -l [my_server] -v play_install_zfs.yaml
You should adapt task_install_zfs.yaml to your needs.
After installation and configuration you can use the ansible playbook play_gitolite_home2zfs_filesystem.yaml to adapt it, e. g.:
ansible-playbook --ask-vault-pass -l [my_server] -v play_gitolite_home2zfs_filesystem.yaml
installation and configuration¶
You can use the ansible playbook play_install_riaf.yaml to install and configure riaf, e. g.:
ansible-playbook --ask-vault-pass -l [my_server] -v play_install_riaf.yaml
You will be asked for a few variables and the output could look like:
Using ~/.ansible.cfg as config file
initial ssh adminkey for gitolite: [skipped here]
gitolite user name [git]:
path to the gitolite home directory (repositories are stored here) [/data/gitolite]:
DNS name of the server [example.com]:
config file of the gitolite web site [configs/gitolite.conf]:
ssl certificate of the web site [cert/gitolite.crt]:
ssl certificate key of the web site [cert/gitolite.key]:
path to gitolite-suexec-wrapper.sh [configs/gitolite-suexec-wrapper.sh]:
path to index.html [configs/index.html]:
path to the script update_list_all_users [configs/update_list_all_users]:
path to the server_timestamping script [configs/server_timestamping]:
path to the riaf_landing_page script [configs/riaf_landing_page]:
...
Instead of giving them one by one you can also pass them as command line options, e. g.:
ansible-playbook --ask-vault-pass -l [my_server] -v play_install_riaf.yaml \
--extra-vars "ssh_adminkey_gitolite='$(cat ~/.ssh/gitolite_admin_fdm_ed25519.pub)'" \
--extra-vars "gitolite_user=git" \
--extra-vars "gitolite_home=/data/gitolite" \
--extra-vars "servername=example.com" \
--extra-vars "configfile_gitolite_site=configs/gitolite.conf" \
--extra-vars "ssl_cert_crt=https_zertifikat/example.com.crt" \
--extra-vars "ssl_cert_key=https_zertifikat/example.com.key" \
--extra-vars "gitolite_suexec_wrapper=configs/gitolite-suexec-wrapper.sh" \
--extra-vars "index_html=configs/index.html" \
--extra-vars "gitolite_update_list_all_users=configs/update_list_all_users" \
--extra-vars "server_timestamping_script=configs/server_timestamping" \
--extra-vars "riaf_landing_page_script=configs/riaf_landing_page"
The output could look like:
Using ~/.ansible.cfg as config file
...
_____________________________________________
< PLAY [installation and basic configuration] >
---------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
...
____________
< PLAY RECAP >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
riaf_test_system : ok=65 changed=62 unreachable=0 failed=0
With this the following software is installed and configured:
Further you need to prepare a few additional tools and config files:
You should prepare your ssl certificates.
gitolite.conf¶
The apache configuration gitolite.conf is a good example. It is adapted by the ansible playbook:
<VirtualHost *:80>
# redirect to https
#Redirect / https://www.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
# set high encryption
#
# check it with: nmap --script ssl-enum-ciphers -p 443 localhost
#
# or test beforehand with: openssl ciphers -v 'HIGH:!MEDIUM:!aNULL:!eNULL'
#
# CBC ciphers are obsolete (and implementation maybe incorrect), therefore
# remove:
# -ECDHE-RSA-AES256-SHA384:-ECDHE-RSA-CAMELLIA256-SHA384:
# -DHE-RSA-AES128-SHA256:-DHE-RSA-AES256-SHA256:
# -DHE-RSA-CAMELLIA128-SHA256:-DHE-RSA-CAMELLIA256-SHA256:
# -ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-CAMELLIA128-SHA256
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!eNULL:!TLSv1:!SHA1:!RSA:!MD5:!RC4:-ECDHE-RSA-AES256-SHA384:-ECDHE-RSA-CAMELLIA256-SHA384:-DHE-RSA-AES128-SHA256:-DHE-RSA-AES256-SHA256:-DHE-RSA-CAMELLIA128-SHA256:-DHE-RSA-CAMELLIA256-SHA256:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-CAMELLIA128-SHA256
SSLProtocol all -TLSv1 -TLSv1.1
# SSLCompression on
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
#ServerName www.example.com
DocumentRoot /var/www/gitolite
<Directory /var/www/gitolite>
Options None
AllowOverride none
Order allow,deny
Allow from all
</Directory>
SuexecUserGroup git git
ScriptAlias /www/ /var/www/bin/gitolite_web_interface.py
<Location /www>
AuthType Basic
AuthName "gitolite access is required"
Require valid-user
AuthUserFile /etc/apache2/gitolite.passwd
</Location>
SuexecUserGroup git git
ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
<Location /git>
AuthType Basic
AuthName "gitolite access is required"
Require valid-user
AuthUserFile /etc/apache2/gitolite.passwd
</Location>
DAVLockDB /var/www/DAVLock
<Directory /var/www/gitolite/dav>
Order Allow,Deny
Allow from all
Dav On
AuthType Basic
AuthName "gitolite access is required"
AuthUserFile /etc/apache2/gitolite.passwd
Options +Indexes
<Limit GET OPTIONS PROPFIND>
Require valid-user
AllowOverride AuthConfig
</Limit>
<LimitExcept GET OPTIONS PROPFIND>
Require all denied
</LimitExcept>
</Directory>
<Directory /var/www/gitolite/dabu>
Options +Indexes
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/gitolite.crt
SSLCertificateKeyFile /etc/ssl/private/gitolite.key
</VirtualHost>
</IfModule>
gitolite-suexec-wrapper.sh¶
The tool gitolite-suexec-wrapper.sh is just a small wrapper to use gitolite with both ssh and http mode clients (see Making repositories available to both ssh and http mode clients). It is adapted by the ansible playbook:
#!/bin/bash
#
# Suexec wrapper for gitolite-shell
#
export GIT_PROJECT_ROOT="/var/lib/gitolite/repositories"
export GITOLITE_HTTP_HOME="/var/lib/gitolite"
exec ${GITOLITE_HTTP_HOME}/gitolite-source/src/gitolite-shell
index.html¶
The starting page index.html for the web interface is a very basic example:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/transitional.dtd">
<html>
<body>
<ul>
<li><a href="www/">www</a></li>
<li><a href="git/">git</a></li>
<li><a href="dav/">dav</a></li>
<li><a href="dabu/">dabu</a></li>
</ul>
</body>
</html>
server_timestamping¶
The gitolite trigger server_timestamping does gpg signed timestamping on pushes to the server. So this cryptographic signature represents the time the data reaches the server and later changes of the history are not possible without the private gpg key owned by the server and stored on the server. This timestamping is stored in the branch server_timestamping.
riaf_landing_page¶
If metadata are available on the default branch in the format [pydabu] uses, the gitolite trigger riaf_landing_page will add a landing page to make the repository findable. The landing page is stored in the branch landing_page and available via fuse mount using [fuse_git_bare_fs] through [apache] as web interface for public access. The landing page presents the metadata.
update_list_all_users¶
The tool update_list_all_users is necessary to allow a listing of all users. This is used for the dav interface.:
#!/bin/sh
passwdfile=/etc/apache2/gitolite.passwd
davusersfile=/data/gitolite/dav_users
if [ ! -f $davusersfile ] || [ -n "$(find $passwdfile -newer $davusersfile)" ]; then
cut -d ":" -f 1 $passwdfile > $davusersfile
fi
update¶
As every system you should update it regularly.
The ansible playbook play_update.yaml can help you, e. g.:
ansible-playbook --ask-vault-pass -l [my_server] -v play_update.yaml \
--extra-vars "gitolite_user=git gitolite_home=/data/gitolite"