diff options
| author | maddaat <git@maddaat.org> | 2026-04-10 17:34:33 +0400 |
|---|---|---|
| committer | maddaat <git@maddaat.org> | 2026-04-10 17:34:33 +0400 |
| commit | eb670e687edcc065c2886be806acd80a697f9bea (patch) | |
| tree | f09c584c635bb817ceadf4a9ea413c01b06ef3e0 | |
| download | infra-eb670e687edcc065c2886be806acd80a697f9bea.tar infra-eb670e687edcc065c2886be806acd80a697f9bea.tar.gz infra-eb670e687edcc065c2886be806acd80a697f9bea.tar.bz2 infra-eb670e687edcc065c2886be806acd80a697f9bea.tar.lz infra-eb670e687edcc065c2886be806acd80a697f9bea.tar.xz infra-eb670e687edcc065c2886be806acd80a697f9bea.tar.zst infra-eb670e687edcc065c2886be806acd80a697f9bea.zip | |
Initial commit
| -rw-r--r-- | README.md | 34 | ||||
| -rwxr-xr-x | deploy | 63 | ||||
| -rw-r--r-- | etc/doas.conf | 13 | ||||
| -rw-r--r-- | etc/exports | 7 | ||||
| -rw-r--r-- | etc/fstab | 3 | ||||
| -rw-r--r-- | etc/httpd.conf | 23 | ||||
| -rw-r--r-- | etc/rc.conf.local | 5 | ||||
| -rw-r--r-- | etc/shells | 10 | ||||
| -rw-r--r-- | etc/ssh/sshd_config | 103 | ||||
| -rw-r--r-- | files.sh | 21 | ||||
| -rw-r--r-- | home/git/.gitconfig | 2 | ||||
| -rw-r--r-- | home/git/.gitolite.rc | 202 | ||||
| -rw-r--r-- | script/delete_dir.sh | 13 | ||||
| -rw-r--r-- | script/delete_file.sh | 14 | ||||
| -rw-r--r-- | script/install_dir.sh | 37 | ||||
| -rw-r--r-- | script/install_file.sh | 55 | ||||
| -rw-r--r-- | var/www/conf/cgitrc | 46 |
17 files changed, 651 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..f424437 --- /dev/null +++ b/README.md @@ -0,0 +1,34 @@ +# maddaat.org + + + +## DNS + +**Domain**: `maddaat.org` + +| Record | Type | Points to | +|---------|---------|-----------------| +| `@` | `A` | `159.65.207.26` | +| `git` | `CNAME` | `maddaat.org.` | +| `www` | `CNAME` | `maddaat.org.` | + + + +## Gitolite + +``` +$ doas adduser +... +Name: git +Password: **** +Fullname: git +Uid: 1001 +Gid: 1001 (git) +Groups: git +Login Class: default +HOME: /home/git +Shell: /usr/local/libexec/gitolite/gitolite-shell +... +$ doas -u git /bin/sh +$ gitolite setup -pk maddaat.pub +``` @@ -0,0 +1,63 @@ +#!/bin/sh + +set -e + +REPO="$(dirname "$(realpath "$0")")" + +. "$REPO/script/delete_dir.sh" +. "$REPO/script/delete_file.sh" +. "$REPO/script/install_dir.sh" +. "$REPO/script/install_file.sh" + +usage() { + echo ' -?, -h, --help print help' + echo ' -d, --dry dry run' + echo '--delete-obsolete delete obsolete files and dirs' +} + +DRY='' + +while [[ "$1" == -* ]]; do + case "$1" in + -h|--help|-\?) + usage + exit + ;; + -d|--dry) + DRY='YES' + ;; + --delete-obsolete) + DELETE_OBSOLETE='YES' + ;; + *) + echo "invalid option: $1" >&2 + exit 1 + ;; + esac + + shift +done + +if [ "$DRY" != 'YES' ]; then + echo '===' + pkg_add \ + bzip2 lzip xz zstd \ + curl git gnupg vim--no_x11 wget \ + cgit gitolite +fi + +. "$REPO/files.sh" + +if [ "$DRY" != 'YES' ]; then + echo '===' + rcctl restart portmap + rcctl restart httpd nfsd slowcgi sshd + + kill -KILL `cat /var/run/mountd.pid` || true + rcctl start mountd + + echo '===' + mount -av +fi + +echo '===' diff --git a/etc/doas.conf b/etc/doas.conf new file mode 100644 index 0000000..d74f89d --- /dev/null +++ b/etc/doas.conf @@ -0,0 +1,13 @@ +# $OpenBSD: doas.conf,v 1.1 2016/09/03 11:58:32 pirofti Exp $ +# See doas.conf(5) for syntax and examples. + +# Non-exhaustive list of variables needed to build release(8) and ports(7) +#permit nopass setenv { \ +# FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \ +# DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \ +# MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \ +# PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \ +# SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc + +# Allow wheel by default +permit persist keepenv :wheel diff --git a/etc/exports b/etc/exports new file mode 100644 index 0000000..1d45f46 --- /dev/null +++ b/etc/exports @@ -0,0 +1,7 @@ +# $OpenBSD: exports,v 1.1 2014/07/12 03:52:39 deraadt Exp $ +# +# NFS exports Database +# See exports(5) for more information. Be very careful: misconfiguration +# of this file can result in your filesystems being readable by the world. + +/home/git/repositories -ro -maproot=root localhost diff --git a/etc/fstab b/etc/fstab new file mode 100644 index 0000000..fb3b019 --- /dev/null +++ b/etc/fstab @@ -0,0 +1,3 @@ +7b4a8f66b5a2f8af.a / ffs rw,wxallowed 1 1 + +localhost:/home/git/repositories /var/www/git/repositories nfs ro,nodev,nosuid 0 0 diff --git a/etc/httpd.conf b/etc/httpd.conf new file mode 100644 index 0000000..3defb8c --- /dev/null +++ b/etc/httpd.conf @@ -0,0 +1,23 @@ +types { + include "/usr/share/misc/mime.types" +} + +server "maddaat.org" { + listen on * port 80 + + location "*" { + block return 307 "http://git.maddaat.org" + } +} + +server "git.maddaat.org" { + listen on * port 80 + + location "/cgit.*" { + root "/cgit" + no fastcgi + } + + root "/cgi-bin/cgit.cgi" + fastcgi socket "/run/slowcgi.sock" +} diff --git a/etc/rc.conf.local b/etc/rc.conf.local new file mode 100644 index 0000000..468a7d0 --- /dev/null +++ b/etc/rc.conf.local @@ -0,0 +1,5 @@ +httpd_flags= +mountd_flags= +nfsd_flags= +portmap_flags= +slowcgi_flags= diff --git a/etc/shells b/etc/shells new file mode 100644 index 0000000..7dff12e --- /dev/null +++ b/etc/shells @@ -0,0 +1,10 @@ +# $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $ +# +# list of acceptable shells for chpass(1). +# ftpd(8) will not allow users to connect who are not using +# one of these shells, unless the user is listed in /etc/ftpchroot. +/bin/sh +/bin/csh +/bin/ksh +/usr/local/bin/git-shell +/usr/local/libexec/gitolite/gitolite-shell diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config new file mode 100644 index 0000000..305e84b --- /dev/null +++ b/etc/ssh/sshd_config @@ -0,0 +1,103 @@ +# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to "no" here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to "no" to disable keyboard-interactive authentication. Depending on +# the system's configuration, this may involve passwords, challenge-response, +# one-time passwords or some combination of these and other methods. +#KbdInteractiveAuthentication yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +TCPKeepAlive yes +PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +Match User git + AllowAgentForwarding no + AllowTcpForwarding no + GatewayPorts no + X11Forwarding no + PermitTTY no + PermitTunnel no diff --git a/files.sh b/files.sh new file mode 100644 index 0000000..6221d4d --- /dev/null +++ b/files.sh @@ -0,0 +1,21 @@ +install_dir 0755 root wheel '/etc' +install_file 0600 root wheel '/etc/doas.conf' +install_file 0644 root wheel '/etc/exports' +install_file 0644 root wheel '/etc/fstab' +install_file 0644 root wheel '/etc/httpd.conf' +install_file 0644 root wheel '/etc/rc.conf.local' +install_file 0644 root wheel '/etc/shells' +install_dir 0755 root wheel '/etc/ssh' +install_file 0644 root wheel '/etc/ssh/sshd_config' + +install_dir 0755 root wheel '/home' +install_dir 0755 git git '/home/git' +install_file 0644 git git '/home/git/.gitconfig' +install_file 0600 git git '/home/git/.gitolite.rc' + +install_dir 0755 root daemon '/var' +install_dir 0755 root daemon '/var/www' +install_dir 0755 root daemon '/var/www/conf' +install_file 0644 root wheel '/var/www/conf/cgitrc' +install_dir 0755 git git '/var/www/git' +install_dir 0755 git git '/var/www/git/repositories' diff --git a/home/git/.gitconfig b/home/git/.gitconfig new file mode 100644 index 0000000..200c0c9 --- /dev/null +++ b/home/git/.gitconfig @@ -0,0 +1,2 @@ +[init] + defaultBranch = master diff --git a/home/git/.gitolite.rc b/home/git/.gitolite.rc new file mode 100644 index 0000000..79892bb --- /dev/null +++ b/home/git/.gitolite.rc @@ -0,0 +1,202 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0022, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => '', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # logging options + # 1. leave this section as is for 'normal' gitolite logging (default) + # 2. uncomment this line to log ONLY to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + # 4. prefixing "repo-log," to any of the above will **also** log just the + # update records to "gl-log" in the bare repo directory: + # LOG_DEST => 'repo-log,normal', + # LOG_DEST => 'repo-log,syslog', + # LOG_DEST => 'repo-log,syslog,normal', + # syslog 'facility': defaults to 'local0', uncomment if needed. For example: + # LOG_FACILITY => 'local4', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' + # 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + # 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + # 'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + # 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/script/delete_dir.sh b/script/delete_dir.sh new file mode 100644 index 0000000..93df582 --- /dev/null +++ b/script/delete_dir.sh @@ -0,0 +1,13 @@ +delete_dir() { + path="$1" + + if [ "$DELETE_OBSOLETE" = 'YES' ]; then + if [ -e "$path" ]; then + echo '===' + echo "rmdir \"$path\"" + if [ "$DRY" != 'YES' ]; then + rmdir "$path" + fi + fi + fi +} diff --git a/script/delete_file.sh b/script/delete_file.sh new file mode 100644 index 0000000..ebcc5b0 --- /dev/null +++ b/script/delete_file.sh @@ -0,0 +1,14 @@ +delete_file() { + path="$1" + + if [ "$DELETE_OBSOLETE" = 'YES' ]; then + if [ -e "$path" -o -e "$path.old" ]; then + echo '===' + if [ -e "$path" ]; then echo "rm -f \"$path\""; fi + if [ -e "$path.old" ]; then echo "rm -f \"$path.old\""; fi + if [ "$DRY" != 'YES' ]; then + rm -f "$path" "$path.old" + fi + fi + fi +} diff --git a/script/install_dir.sh b/script/install_dir.sh new file mode 100644 index 0000000..a476ad0 --- /dev/null +++ b/script/install_dir.sh @@ -0,0 +1,37 @@ +install_dir() { + mode="$1" + owner="$2" + group="$3" + path="$4" + + if [ "$DRY" = 'YES' ]; then + before_mode_stat="$(stat -f '%p' "$path" 2>/dev/null || echo '????')" + before_mode_prefix="${before_mode_stat%????}" + before_mode="${before_mode_stat#"$before_mode_prefix"}" + before_mode_user_group="$(stat -f '%Su %Sg' "$path" 2>/dev/null || echo '???? ????')" + + before_cmp="$before_mode $before_mode_user_group" + after_cmp="$mode $owner $group" + + before="$before_cmp $path" + after="$after_cmp $path" + else + before="$(ls -dl "$path" 2>&1 || true)" + install -m "$mode" -o "$owner" -g "$group" -d "$path" + after="$(ls -dl "$path" 2>&1)" + + before_cmp="$(echo "$before" | awk '{ print $1 " " $2 " " $3 " " $4 }')" + after_cmp="$(echo "$after" | awk '{ print $1 " " $2 " " $3 " " $4 }')" + fi + + changed='' + if [ "$before_cmp" != "$after_cmp" ]; then + changed='YES' + fi + + if [ "$changed" = 'YES' ]; then + echo '===' + echo "$before" + echo "$after" + fi +} diff --git a/script/install_file.sh b/script/install_file.sh new file mode 100644 index 0000000..71ff624 --- /dev/null +++ b/script/install_file.sh @@ -0,0 +1,55 @@ +install_file() { + mode="$1" + owner="$2" + group="$3" + path="$4" + + if [ "$DRY" = 'YES' ]; then + before_mode_stat="$(stat -f '%p' "$path" 2>/dev/null || echo '????')" + before_mode_prefix="${before_mode_stat%????}" + before_mode="${before_mode_stat#"$before_mode_prefix"}" + before_mode_user_group="$(stat -f '%Su %Sg' "$path" 2>/dev/null || echo '???? ????')" + + before_cmp="$before_mode $before_mode_user_group" + after_cmp="$mode $owner $group" + + before="$before_cmp $path" + after="$after_cmp $path" + + old="$path" + new="$REPO$path" + else + before="$(ls -dl "$path" 2>&1 || true)" + install -b -m "$mode" -o "$owner" -g "$group" "$REPO$path" "$path" + after="$(ls -dl "$path" 2>&1)" + + before_cmp="$(echo "$before" | awk '{ print $1 " " $2 " " $3 " " $4 }')" + after_cmp="$(echo "$after" | awk '{ print $1 " " $2 " " $3 " " $4 }')" + + old="$path.old" + new="$path" + fi + + changed='' + diffed='' + if [ "$before_cmp" != "$after_cmp" ]; then + changed='YES' + fi + if [ -f "$old" ]; then + if ! diff "$old" "$new" >/dev/null 2>/dev/null; then + changed='YES' + diffed='YES' + fi + fi + + if [ "$changed" = 'YES' ]; then + echo '===' + echo "$before" + echo "$after" + + if [ "$diffed" = 'YES' ]; then + echo '---' + diff "$old" "$new" || true + fi + fi +} diff --git a/var/www/conf/cgitrc b/var/www/conf/cgitrc new file mode 100644 index 0000000..ff361cb --- /dev/null +++ b/var/www/conf/cgitrc @@ -0,0 +1,46 @@ +#favicon=/favicon.ico +#logo=/cgit.jpg +#root-title=git.maddaat.org +#root-desc=XXXXX + +mimetype-file=/usr/share/misc/mime.types +snapshots=all + +enable-blame=1 +enable-commit-graph=0 +enable-http-clone=1 +enable-index-links=0 +enable-index-owner=0 +enable-log-filecount=1 +enable-log-linecount=1 +enable-remote-branches=0 +enable-tree-linenumbers=1 +local-time=0 +noplainemail=0 +side-by-side-diffs=0 + +branch-sort=name +case-sensitive-sort=0 +commit-sort= +repository-sort=name +section-sort=1 + +#cache-root=XXXXX +cache-size=10000 +cache-static-ttl=-1 +# Minimal caches just to avoid DoS +cache-about-ttl=1 +cache-dynamic-ttl=1 +cache-repo-ttl=1 +cache-root-ttl=1 +cache-scanrc-ttl=1 +cache-snapshot-ttl=1 + +#enable-git-config=1 +enable-filter-overrides=0 +remove-suffix=1 +scan-hidden-path=0 +section-from-path=-1 + +#project-list=/git/projects.list +scan-path=/git/repositories |