From a5af8f9f5522d4a6b4dc04655c55d07b68e301e4 Mon Sep 17 00:00:00 2001
From: Jakob Meier <comcloudway@ccw.icu>
Date: Thu, 2 Nov 2023 20:32:13 +0100
Subject: [PATCH] Fixed git ssh/http(s) push and pull

---
 roles/git.sr.ht/tasks/main.yml  |  6 ++++++
 roles/git.sr.ht/tasks/nginx.yml |  6 ++++++
 roles/git.sr.ht/tasks/ssh.yml   | 35 +++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 roles/git.sr.ht/tasks/ssh.yml

diff --git a/roles/git.sr.ht/tasks/main.yml b/roles/git.sr.ht/tasks/main.yml
index 72cbec1..d67f61c 100644
--- a/roles/git.sr.ht/tasks/main.yml
+++ b/roles/git.sr.ht/tasks/main.yml
@@ -3,6 +3,9 @@
   community.general.apk:
     name:
       - git.sr.ht
+      - git-daemon
+      - openssh
+      - fcgiwrap
     state: latest
 
 - name: Setup /etc/hosts localhost redirect
@@ -13,6 +16,9 @@
 - name: Setup Database
   ansible.builtin.import_tasks: db.yml
 
+- name: Setup ssh daemon config
+  ansible.builtin.import_tasks: ssh.yml
+
 - name: Setup config & services
   ansible.builtin.import_tasks: config.yml
 
diff --git a/roles/git.sr.ht/tasks/nginx.yml b/roles/git.sr.ht/tasks/nginx.yml
index bffcb78..797ed01 100644
--- a/roles/git.sr.ht/tasks/nginx.yml
+++ b/roles/git.sr.ht/tasks/nginx.yml
@@ -5,6 +5,12 @@
     dest: /etc/nginx/http.d/git.sr.ht.conf
   register: nginxconf
 
+- name: Start & enable fcgiwrap
+  ansible.builtin.service:
+    name: fcgiwrap
+    state: started
+    enabled: true
+
 - name: Start & enable nginx
   ansible.builtin.service:
     name: nginx
diff --git a/roles/git.sr.ht/tasks/ssh.yml b/roles/git.sr.ht/tasks/ssh.yml
new file mode 100644
index 0000000..9612e28
--- /dev/null
+++ b/roles/git.sr.ht/tasks/ssh.yml
@@ -0,0 +1,35 @@
+---
+- name: Ensure ssh is installed
+  community.general.apk:
+    name:
+      - openssh
+    state: latest
+
+- name: Make sure ssh dispatch is properly setup
+  ansible.builtin.blockinfile:
+    path: /etc/ssh/sshd_config
+    marker: "#-- {mark} ANSIBLE git.sr.ht --#"
+    block: |
+      AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
+      AuthorizedKeysCommandUser=root
+      PermitUserEnvironment SRHT_*
+  register: sshdconf
+
+- name: Remove password protection from git account
+  ansible.builtin.user:
+    name: "git"
+    password: ""
+
+- name: Manually create shell log file
+  ansible.builtin.file:
+    path: /var/log/gitsrht-shell
+    owner: git
+    group: git
+    state: touch
+
+- name: Start & enable sshd
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+    enabled: true
+  when: sshdconf.changed
-- 
2.38.5