From 49288d9356740ef46478cffc99bc28b88b2eeb40 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Thu, 30 Apr 2015 16:51:22 +0200 Subject: [PATCH] Add cgit::ssh class to manage git over ssh Class to configure ssh access to git repositories. Co-Authored-By: K Jonathan Harker Change-Id: I9bc857251b6ce119c6b6d6c9323f882327281466 --- manifests/ssh.pp | 100 ++++++++++++++++++++++++++++++++++ templates/authorized_keys.erb | 6 ++ 2 files changed, 106 insertions(+) create mode 100644 manifests/ssh.pp create mode 100644 templates/authorized_keys.erb diff --git a/manifests/ssh.pp b/manifests/ssh.pp new file mode 100644 index 0000000..4946f61 --- /dev/null +++ b/manifests/ssh.pp @@ -0,0 +1,100 @@ +# Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Class: cgit::ssh +# +# This class enables clones from git repo using ssh protocol +# +# params: +# user: +# The user that will be used for git clone +# group: +# The group for the git user +# manage_group: +# If enabled, it will create the group for the git user +# home: +# The home directory of the git user +# manage_home: +# If enabled, it wil manage the home directory for the git user +# target: +# If set, it creates a symlink for the git directory +# target_name: +# If target is set, it defined the name of the source git directory +# authorized_keys +# Array with the list of keys that will be used for authorizing git +# clones over ssh +class cgit::ssh ( + $user = 'git', + $group = 'git', + $manage_group = true, + $home = '/var/lib/git', + $manage_home = true, + $target = undef, + $target_name = 'repo', + $authorized_keys = [], +) { + + if $manage_home { + file { $home: + ensure => directory, + owner => $user, + group => $group, + mode => '0755', + require => User[$user], + } + } + + if $target != undef { + # This should be a directory that contains bare repos + file { "${home}/${target_name}": + ensure => link, + target => $target, + require => File[$home], + } + } + + if ($manage_group) and (! defined(Group[$group])) { + group { $group: + ensure => present, + } + } + + user { $user: + ensure => present, + shell => '/usr/bin/git-shell', + gid => $group, + home => $home, + managehome => true, + require => Group[$group], + } + + $ssh_dir = "${home}/.ssh" + file { $ssh_dir: + ensure => directory, + owner => $user, + mode => '0750', + } + + $auth_file = "${ssh_dir}/authorized_keys" + file { $auth_file: + ensure => present, + owner => $user, + mode => '0640', + content => template('cgit/authorized_keys.erb'), + require => [ + File[$ssh_dir], + User[$user], + ], + } +} diff --git a/templates/authorized_keys.erb b/templates/authorized_keys.erb new file mode 100644 index 0000000..a271ea8 --- /dev/null +++ b/templates/authorized_keys.erb @@ -0,0 +1,6 @@ +# This file contains a list of authorized ssh keys for read-only access to git +# The list should be kept to a minimum +# Each key should have a descriptive comment field including points of contact +<% @authorized_keys.each do |authorized_key| -%> +<%= authorized_key %> +<% end -%>