diff options
Diffstat (limited to 'terraform/provision')
-rwxr-xr-x | terraform/provision/provision | 81 | ||||
-rw-r--r-- | terraform/provision/rootfs/etc/apt/apt.conf.d/20auto-upgrades | 2 | ||||
-rw-r--r-- | terraform/provision/rootfs/etc/cgitrc.d/crashbox | 63 | ||||
-rw-r--r-- | terraform/provision/rootfs/etc/gh-mirror | 4 | ||||
-rw-r--r-- | terraform/provision/rootfs/etc/nginx/conf.d/ssl.conf | 15 | ||||
-rw-r--r-- | terraform/provision/rootfs/etc/nginx/sites-enabled/default.conf | 9 | ||||
-rw-r--r-- | terraform/provision/rootfs/etc/nginx/sites-enabled/git.conf | 33 | ||||
-rw-r--r-- | terraform/provision/rootfs/etc/nginx/sites-enabled/ip.conf | 13 | ||||
-rwxr-xr-x | terraform/provision/rootfs/usr/bin/gh-mirror | 59 | ||||
-rwxr-xr-x | terraform/provision/rootfs/usr/bin/gh-mirror-all | 7 | ||||
-rw-r--r-- | terraform/provision/rootfs/var/lib/git/www/about.md | 5 | ||||
-rw-r--r-- | terraform/provision/rootfs/var/lib/git/www/crashbox.svg | 84 | ||||
-rw-r--r-- | terraform/provision/rootfs/var/lib/git/www/instagram.png | bin | 0 -> 44502 bytes |
13 files changed, 375 insertions, 0 deletions
diff --git a/terraform/provision/provision b/terraform/provision/provision new file mode 100755 index 0000000..3a32a63 --- /dev/null +++ b/terraform/provision/provision @@ -0,0 +1,81 @@ +#!/bin/bash + +panic() { + echo "$1" >&2 + echo "Aborting." + exit 1 +} + +[[ $1 == "--force" ]] || panic "Must be run with --force" +[[ $(id --user) -eq 0 ]] || panic "This script must be run as root." + +log() { + echo "provision: $1" >&2 +} + +log "install and configure most essential packages" +apt-get update --quiet=2 +apt-get install --yes --quiet=2 ufw +ufw allow 22/tcp +ufw default deny +ufw --force enable + +log "install service packages" +apt-get install --yes --quiet=2 \ + adduser \ + apt-listchanges \ + ca-certificates \ + cgit \ + curl \ + fcgiwrap \ + git-core \ + jq \ + nginx \ + openssl \ + python3-markdown \ + python3-pygments \ + rsync \ + ssl-cert \ + sudo \ + ufw \ + unattended-upgrades \ + wget + +log "copy package configurations" +rsync -r /usr/local/share/provision/rootfs/ / + +log "ensure certificate bundle exists" +# the ceritifcate bundle should be provisioned by terraform, however +# for testing purposes (such as in a vm) this copies the default +# "snakeoil" test certificates to the appropriate locations if they do +# not already exist +if [[ ! -r /etc/ssl/private/server.key.pem ]] \ + || [[ ! -r /etc/ssl/server.cert.pem ]] \ + || [[ ! -r /etc/ssl/issuer.cert.pem ]]; then + ln -f -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/server.key.pem + ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/server.cert.pem + ln -f -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/issuer.cert.pem + log "WARNING: no certificates found, falling back to snakeoil certificates!" +fi + +log "configure nginx" +rm -r /etc/nginx/sites-enabled/default +usermod --append --groups ssl-cert www-data +ufw allow 80/tcp +ufw allow 443/tcp + +log "configure git" +adduser --group --system --home /var/lib/git git +mkdir -p /srv/git +chown -R git:git /srv/git +mkdir -p /var/lib/git/www/ +ln -s /usr/share/cgit/cgit.css /var/lib/git/www/cgit.css +ln -s /usr/share/cgit/robots.txt /var/lib/git/www/robots.txt + +log "configure shell accounts" +adduser --uid 1000 --disabled-password --gecos "" jodersky + +log "restart services" +systemctl restart nginx + +log "configuration complete!" diff --git a/terraform/provision/rootfs/etc/apt/apt.conf.d/20auto-upgrades b/terraform/provision/rootfs/etc/apt/apt.conf.d/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/terraform/provision/rootfs/etc/apt/apt.conf.d/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/terraform/provision/rootfs/etc/cgitrc.d/crashbox b/terraform/provision/rootfs/etc/cgitrc.d/crashbox new file mode 100644 index 0000000..fdafab6 --- /dev/null +++ b/terraform/provision/rootfs/etc/cgitrc.d/crashbox @@ -0,0 +1,63 @@ +# +# cgit config +# see cgitrc(5) for details +# +# https://git.zx2c4.com/cgit/tree/cgitrc.5.txt + +favicon=/crashbox.svg +logo=/crashbox.svg +root-title=git.crashbox.io +root-desc=Git repositories hosted at crashbox.io +root-readme=/var/lib/git/www/about.md +clone-url=https://git.crashbox.io/$CGIT_REPO_URL + +## List of common mimetypes +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml +mimetype-file=/etc/mime.types + +# Don't show owner on index page +enable-index-owner=0 + +# Enable blame page and create links to it from tree page +enable-blame=1 + +# Enable ASCII art commit history graph on the log pages +enable-commit-graph=1 + +# Show extra links for each repository on the index page +enable-index-links=1 + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + +# Allow download of tar.gz, tar.bz2 and zip-files +snapshots=tar.gz tar.bz2 zip + +# Highlight code +source-filter=/usr/lib/cgit/filters/syntax-highlighting.py + +# Format "about" files such as markdown readmes +about-filter=/usr/lib/cgit/filters/about-formatting.sh +readme=master:README.md + +# nginx handles negotiating git clones +enable-http-clone=0 + +section-from-path=-1 + +# Remove ".git" suffix in listings +remove-suffix=1 + +# Base URL +virtual-root=/ + +scan-path=/srv/git diff --git a/terraform/provision/rootfs/etc/gh-mirror b/terraform/provision/rootfs/etc/gh-mirror new file mode 100644 index 0000000..4fc987b --- /dev/null +++ b/terraform/provision/rootfs/etc/gh-mirror @@ -0,0 +1,4 @@ +users jodersky /srv/git/mirrors/github/jodersky +orgs project-condor /srv/git/mirrors/github/project-condor +orgs driver-oss /srv/git/mirrors/github/driver-oss +orgs johnandjohn /srv/git/mirrors/github/johnandjohn diff --git a/terraform/provision/rootfs/etc/nginx/conf.d/ssl.conf b/terraform/provision/rootfs/etc/nginx/conf.d/ssl.conf new file mode 100644 index 0000000..bb96ec7 --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/conf.d/ssl.conf @@ -0,0 +1,15 @@ +# The configuration below can be obtained with the Mozilla SSL +# Configuration Generator at +# https://mozilla.github.io/server-side-tls/ssl-config-generator/ + +ssl_certificate /etc/ssl/server.cert.pem; +ssl_certificate_key /etc/ssl/private/server.key.pem; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate /etc/ssl/issuer.cert.pem; diff --git a/terraform/provision/rootfs/etc/nginx/sites-enabled/default.conf b/terraform/provision/rootfs/etc/nginx/sites-enabled/default.conf new file mode 100644 index 0000000..e10725d --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/sites-enabled/default.conf @@ -0,0 +1,9 @@ +# Default catch-all configuration, applied when no other configuration matches +server { + server_name _; + listen 80 default_server; + listen [::]:80 default_server; + + # close the connection without sending a response + return 444; +}
\ No newline at end of file diff --git a/terraform/provision/rootfs/etc/nginx/sites-enabled/git.conf b/terraform/provision/rootfs/etc/nginx/sites-enabled/git.conf new file mode 100644 index 0000000..7210dbc --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/sites-enabled/git.conf @@ -0,0 +1,33 @@ +server { + server_name git.*; + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + root /var/lib/git/www; + + # requests that should to go to git-http-backend + location ~ ^.*/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { + root /srv/git; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /srv/git; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param CGIT_CONFIG /etc/cgitrc.d/crashbox; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + location / { + try_files $uri @cgit; + } + +} diff --git a/terraform/provision/rootfs/etc/nginx/sites-enabled/ip.conf b/terraform/provision/rootfs/etc/nginx/sites-enabled/ip.conf new file mode 100644 index 0000000..2f3ab1e --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/sites-enabled/ip.conf @@ -0,0 +1,13 @@ +# Echo remote IP address +# https://michael.lustfield.net/nginx/simple-ip-echo +server { + server_name ip.*; + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + location = / { + default_type text/plain; + echo $remote_addr; + } +}
\ No newline at end of file diff --git a/terraform/provision/rootfs/usr/bin/gh-mirror b/terraform/provision/rootfs/usr/bin/gh-mirror new file mode 100755 index 0000000..54985cb --- /dev/null +++ b/terraform/provision/rootfs/usr/bin/gh-mirror @@ -0,0 +1,59 @@ +#!/bin/bash +# Mirror repositories from GitHub +# +# Arguments: (users|orgs) <name> <output_directory> +# +# Clones (or updates) all repositories of a GitHub user or +# organization. Repositories are created as children of the given +# output directory. +# +# Example: +# gh-mirror users jodersky mirrors/github/jodersky +# +# This script uses GitHub's API, version 3 +# https://developer.github.com/v3/repos/#list-user-repositories +set -o errexit + +account_type="$1" +account_name="$2" +out_dir="${3:-.}" +mkdir -p "$out_dir" + +if [[ -z $account_type ]] || [[ -z $account_name ]]; then + echo "Usage: (users|orgs) <name> <output_directory>" >&2 + exit 1 +fi + +tmp="$(mktemp /tmp/mirror-XXXXXXXXXXXX)" +url="https://api.github.com/$account_type/$account_name/repos?per_page=100" + +function finish { + echo "An error was encountered." >&2 + echo "curl headers are saved in $tmp" >&2 +} +trap finish ERR + +while [[ ! -z "$url" ]]; do + echo "Fetching $url..." >&2 + + mapfile -t repo_data < <(curl --dump-header "$tmp" "$url" | jq --compact-output '.[]') + url="$(< "$tmp" grep Link | grep -oE "[a-zA-Z0-9:/?=.&_]*>; rel=.next" | cut -d'>' -f1)" + + for repo in "${repo_data[@]}"; do + clone_url="$(echo "$repo" | jq -r .clone_url)" + project="$(basename "$clone_url")" + description=$(echo "$repo" | jq -r .description) + + git_dir="$out_dir/$project" + + if [ -d "$git_dir" ]; then + echo "updating $project" >&2 + git -C "$git_dir" fetch --prune + else + echo "mirroring new $project" >&2 + git clone --mirror "$clone_url" "$git_dir" + fi + echo "$description" > "$git_dir/description" + done +done +rm "$tmp" diff --git a/terraform/provision/rootfs/usr/bin/gh-mirror-all b/terraform/provision/rootfs/usr/bin/gh-mirror-all new file mode 100755 index 0000000..fa9054f --- /dev/null +++ b/terraform/provision/rootfs/usr/bin/gh-mirror-all @@ -0,0 +1,7 @@ +#!/bin/bash +mapfile -t lines < /etc/gh-mirror + +for line in "${lines[@]}"; do + read -r type name dir <<< "$line" + gh-mirror "$type" "$name" "$dir" +done diff --git a/terraform/provision/rootfs/var/lib/git/www/about.md b/terraform/provision/rootfs/var/lib/git/www/about.md new file mode 100644 index 0000000..55e68fa --- /dev/null +++ b/terraform/provision/rootfs/var/lib/git/www/about.md @@ -0,0 +1,5 @@ +Tracking of various git repositories. + +![instagram](instagram.png) + +<https://xkcd.com/1150/> diff --git a/terraform/provision/rootfs/var/lib/git/www/crashbox.svg b/terraform/provision/rootfs/var/lib/git/www/crashbox.svg new file mode 100644 index 0000000..87ff69c --- /dev/null +++ b/terraform/provision/rootfs/var/lib/git/www/crashbox.svg @@ -0,0 +1,84 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!-- Created with Inkscape (http://www.inkscape.org/) --> + +<svg + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:cc="http://creativecommons.org/ns#" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" + xmlns:svg="http://www.w3.org/2000/svg" + xmlns="http://www.w3.org/2000/svg" + xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" + xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" + width="64" + height="64" + viewBox="0 0 16.933333 16.933334" + version="1.1" + id="svg8" + inkscape:version="0.92.3 (2405546, 2018-03-11)" + sodipodi:docname="crashbox.svg" + inkscape:export-filename="/home/jodersky/.background.png" + inkscape:export-xdpi="96" + inkscape:export-ydpi="96"> + <defs + id="defs2" /> + <sodipodi:namedview + id="base" + pagecolor="#ffffff" + bordercolor="#666666" + borderopacity="1.0" + inkscape:pageopacity="0.0" + inkscape:pageshadow="2" + inkscape:zoom="8.1454544" + inkscape:cx="49.880572" + inkscape:cy="41.270535" + inkscape:document-units="mm" + inkscape:current-layer="layer1" + showgrid="false" + inkscape:snap-global="true" + inkscape:snap-bbox="true" + inkscape:bbox-nodes="true" + inkscape:object-paths="true" + inkscape:window-width="1920" + inkscape:window-height="1080" + inkscape:window-x="0" + inkscape:window-y="0" + inkscape:window-maximized="0" + inkscape:snap-bbox-edge-midpoints="true" + inkscape:snap-object-midpoints="true" + inkscape:snap-smooth-nodes="true" + units="px" + inkscape:snap-page="true" /> + <metadata + id="metadata5"> + <rdf:RDF> + <cc:Work + rdf:about=""> + <dc:format>image/svg+xml</dc:format> + <dc:type + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> + <dc:title></dc:title> + </cc:Work> + </rdf:RDF> + </metadata> + <g + inkscape:label="Layer 1" + inkscape:groupmode="layer" + id="layer1" + transform="translate(0,-280.06665)"> + <g + id="g885" + transform="matrix(0,0.57000354,-0.57000354,0,156.29365,249.65986)" + style="fill:#cccccc"> + <path + id="path871" + d="m 53.344914,259.34398 c 0,-0.44557 7.040667,-12.63991 7.426581,-12.86269 0.385913,-0.22278 14.467808,-0.22279 14.853711,0 0.385913,0.22279 7.427142,12.41711 7.427142,12.86269 1e-5,0.44557 -7.041229,12.6399 -7.427142,12.86269 -0.385903,0.22279 -14.467798,0.22278 -14.853711,-10e-6 -0.385914,-0.22278 -7.426581,-12.41711 -7.426581,-12.86268 z m 0.938299,1e-5 c 0,0.41739 6.596177,11.84071 6.957712,12.0494 0.361535,0.20871 13.553877,0.20872 13.915412,0 0.361535,-0.20869 6.957712,-11.63201 6.957712,-12.04941 0,-0.4174 -6.596177,-11.84072 -6.957712,-12.04943 -0.361535,-0.20869 -13.553877,-0.2087 -13.915412,0 -0.361535,0.2087 -6.957712,11.63202 -6.957712,12.04944 z" + style="fill:#cccccc;fill-opacity:1;stroke:none;stroke-width:0.17204435;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + inkscape:connector-curvature="0" /> + <path + id="path873" + d="m 68.986516,259.38836 c 0,-0.34087 5.34873,-9.60935 5.70206,-9.88448 0.53173,0.60355 5.66767,9.50847 5.66765,9.84278 10e-6,0.3409 -5.35009,9.61103 -5.70248,9.88449 -0.53273,-0.60539 -5.66719,-9.50851 -5.66723,-9.84275 z" + style="fill:#cccccc;fill-opacity:1;stroke:none;stroke-width:0.15927917;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" + inkscape:connector-curvature="0" /> + </g> + </g> +</svg> diff --git a/terraform/provision/rootfs/var/lib/git/www/instagram.png b/terraform/provision/rootfs/var/lib/git/www/instagram.png Binary files differnew file mode 100644 index 0000000..dcaff14 --- /dev/null +++ b/terraform/provision/rootfs/var/lib/git/www/instagram.png |