opendev/puppet-cgit
Code Issues Proposed changes

Only include selinux bits on rhel-based systems

Browse Source 
The gate-config-puppet-apply test will try to run everything on a
bare-precise node, so even though this doesn't occur in production it is
being tested.

Change-Id: I13b03a7476e30cbb26dc820bb4cf5b56c4018669
This commit is contained in:
K Jonathan Harker 2014-05-28 17:39:59 -07:00
parent 763efb0dc0
commit b5b27ec5b2
2 changed files with 70 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
manifests/init.pp
View File

@ -29,8 +29,23 @@ class cgit(
$behind_proxy = false,
) {
if $behind_proxy == true {
$http_port = 8080
$https_port = 4443
$daemon_port = 29418
}
else {
$http_port = 80
$https_port = 443
$daemon_port = 9418
}
include apache
if ($::osfamily == 'RedHat') {
include cgit::selinux
}
package { [
'cgit',
'git-daemon',
@ -68,54 +83,6 @@ class cgit(
require => User['cgit'],
}
exec { 'restorecon -R -v /var/lib/git':
path => '/sbin',
require => File['/var/lib/git'],
subscribe => File['/var/lib/git'],
refreshonly => true,
}
selboolean { 'httpd_enable_cgi':
persistent => true,
value => on
}
package { 'policycoreutils-python':
ensure => present,
}
if $behind_proxy == true {
$http_port = 8080
$https_port = 4443
$daemon_port = 29418
}
else {
$http_port = 80
$https_port = 443
$daemon_port = 9418
}
exec { 'cgit_allow_http_port':
# If we cannot add the rule modify the existing rule.
onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${http_port}\'",
command => "semanage port -m -t http_port_t -p tcp ${http_port}",
path => '/bin:/usr/sbin',
before => Service['httpd'],
require => Package['policycoreutils-python'],
subscribe => File['/etc/httpd/conf/httpd.conf'],
refreshonly => true,
}
exec { 'cgit_allow_https_port':
# If we cannot add the rule modify the existing rule.
onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${https_port}\'",
command => "semanage port -m -t http_port_t -p tcp ${https_port}",
path => '/bin:/usr/sbin',
require => Package['policycoreutils-python'],
subscribe => File['/etc/httpd/conf.d/ssl.conf'],
refreshonly => true,
}
apache::vhost { $vhost_name:
port => $https_port,
serveraliases => $serveraliases,

55
manifests/selinux.pp Normal file
View File

@ -0,0 +1,55 @@
# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Class: cgit::selinux
#
class cgit::selinux {
exec { 'restorecon -R -v /var/lib/git':
path => '/sbin',
require => File['/var/lib/git'],
subscribe => File['/var/lib/git'],
refreshonly => true,
}
selboolean { 'httpd_enable_cgi':
persistent => true,
value => on
}
package { 'policycoreutils-python':
ensure => present,
}
exec { 'cgit_allow_http_port':
# If we cannot add the rule modify the existing rule.
onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${::cgit::http_port}\'",
command => "semanage port -m -t http_port_t -p tcp ${::cgit::http_port}",
path => '/bin:/usr/sbin',
before => Service['httpd'],
require => Package['policycoreutils-python'],
subscribe => File['/etc/httpd/conf/httpd.conf'],
refreshonly => true,
}
exec { 'cgit_allow_https_port':
# If we cannot add the rule modify the existing rule.
onlyif => "bash -c \'! semanage port -a -t http_port_t -p tcp ${::cgit::https_port}\'",
command => "semanage port -m -t http_port_t -p tcp ${::cgit::https_port}",
path => '/bin:/usr/sbin',
require => Package['policycoreutils-python'],
subscribe => File['/etc/httpd/conf.d/ssl.conf'],
refreshonly => true,
}
}