From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Wed, 4 Oct 2023 01:35:06 +0200
Subject: Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
---
 systems/eldiron/gitolite/default.nix             | 127 +++++++++++++++++++++++
 systems/eldiron/gitolite/gitolite_ldap_groups.sh |  15 +++
 systems/eldiron/gitolite/ldap_gitolite.sh        |  28 +++++
 3 files changed, 170 insertions(+)
 create mode 100644 systems/eldiron/gitolite/default.nix
 create mode 100755 systems/eldiron/gitolite/gitolite_ldap_groups.sh
 create mode 100644 systems/eldiron/gitolite/ldap_gitolite.sh

(limited to 'systems/eldiron/gitolite')

diff --git a/systems/eldiron/gitolite/default.nix b/systems/eldiron/gitolite/default.nix
new file mode 100644
index 0000000..1885234
--- /dev/null
+++ b/systems/eldiron/gitolite/default.nix
@@ -0,0 +1,127 @@
+{ lib, pkgs, config, ... }:
+let
+    cfg = config.myServices.gitolite;
+in {
+  options.myServices.gitolite = {
+    enable = lib.mkEnableOption "my gitolite service";
+    gitoliteDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/gitolite";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    myServices.dns.zones."immae.eu".subdomains.git =
+      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
+
+    myServices.chatonsProperties.services.gitolite = {
+      file.datetime = "2022-08-21T10:01:00";
+      service = {
+        name = "Gitolite";
+        description = "Gitolite allows you to setup git hosting on a central server, with fine-grained access control and many more powerful features.";
+        website = "https://git.immae.eu";
+        logo = "https://git.immae.eu/cgit-css/favicon.ico";
+        status.level = "OK";
+        status.description = "OK";
+        registration."" = ["MEMBER" "CLIENT"];
+        registration.load = "OPEN";
+        install.type = "PACKAGE";
+        guide.user = "https://www.immae.eu/docs/forge-logicielle.html";
+      };
+      software = {
+        name = "Gitolite";
+        website = "https://gitolite.com/gitolite/";
+        license.url = "https://github.com/sitaramc/gitolite/blob/master/COPYING";
+        license.name = "GNU General Public License v2.0";
+        version = pkgs.gitolite.version;
+        source.url = "https://github.com/sitaramc/gitolite";
+      };
+    };
+    myServices.ssh.modules.gitolite = {
+      snippet = builtins.readFile ./ldap_gitolite.sh;
+      dependencies = [ pkgs.gitolite ];
+      vars.ldap_group = "cn=users,cn=gitolite,ou=services,dc=immae,dc=eu";
+      vars.shell_path = "${pkgs.gitolite}/bin/gitolite-shell";
+      vars.services = let
+        toLine = login: key: ''command="${pkgs.gitolite}/bin/gitolite-shell ${login}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ${key}'';
+      in builtins.concatStringsSep "\n" [
+        (toLine "naemon" config.myEnv.monitoring.ssh_public_key)
+        (toLine "buildbot" config.myEnv.buildbot.ssh_key.public)
+      ];
+    };
+    networking.firewall.allowedTCPPorts = [ 9418 ];
+
+    secrets.keys."gitolite/ldap_password" = {
+      user = "gitolite";
+      group = "gitolite";
+      permissions = "0400";
+      text = config.myEnv.tools.gitolite.ldap.password;
+    };
+
+    services.gitDaemon = {
+      enable = true;
+      user = "gitolite";
+      group = "gitolite";
+      basePath = "${cfg.gitoliteDir}/repositories";
+    };
+
+    system.activationScripts.gitolite = let
+      deps = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
+      gitolite_ldap_groups = pkgs.runCommand "gitolite_ldap_groups.sh" {
+        buildInputs = [ pkgs.makeWrapper ];
+      } ''
+        makeWrapper "${./gitolite_ldap_groups.sh}" "$out" \
+          --prefix PATH : ${lib.makeBinPath deps} \
+          --set LDAP_PASS_PATH ${config.secrets.fullPaths."gitolite/ldap_password"}
+        '';
+    in {
+      deps = [ "users" ];
+      text = ''
+        if [ -d ${cfg.gitoliteDir} ]; then
+          ln -sf ${gitolite_ldap_groups} ${cfg.gitoliteDir}/gitolite_ldap_groups.sh
+          chmod g+rx ${cfg.gitoliteDir}
+        fi
+        if [ -f ${cfg.gitoliteDir}/projects.list ]; then
+          chmod g+r ${cfg.gitoliteDir}/projects.list
+        fi
+      '';
+    };
+
+    users.users.wwwrun.extraGroups = [ "gitolite" ];
+    users.users.gitolite.extraGroups = [ "keys" ];
+
+    users.users.gitolite.packages = let
+      python-packages = python-packages: with python-packages; [
+        simplejson
+        apprise
+        sleekxmpp
+        urllib3
+        pyyaml
+      ];
+    in
+      [
+        # For some reason it absolutely wants to include "doc" output
+        ((pkgs.python39.withPackages python-packages) // { doc = ""; })
+        pkgs.nettools
+        pkgs.findutils
+      ];
+    # Installation: https://git.immae.eu/mantisbt/view.php?id=93
+    services.gitolite = {
+      enable = true;
+      adminPubkey = config.myEnv.sshd.rootKeys.immae_dilion;
+    };
+    myServices.monitoring.fromMasterActivatedPlugins = [ "git" ];
+    myServices.monitoring.fromMasterObjects.service = [
+      {
+        service_description = "gitolite is working";
+        host_name = config.hostEnv.fqdn;
+        use = "external-web-service";
+        check_command = "check_git";
+
+        servicegroups = "webstatus-remote-services";
+        _webstatus_name = "Git";
+        _webstatus_url = "git.immae.eu";
+      }
+    ];
+  };
+}
diff --git a/systems/eldiron/gitolite/gitolite_ldap_groups.sh b/systems/eldiron/gitolite/gitolite_ldap_groups.sh
new file mode 100755
index 0000000..ffa2dab
--- /dev/null
+++ b/systems/eldiron/gitolite/gitolite_ldap_groups.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+uid_param="$1"
+ldap_host="ldap://ldap.immae.eu"
+ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu"
+ldap_bindpw="$(cat $LDAP_PASS_PATH)"
+ldap_searchbase="dc=immae,dc=eu"
+ldap_scope="subtree"
+
+ldap_options="-H ${ldap_host} -ZZ -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}"
+
+ldap_filter="(&(memberOf=cn=groups,cn=gitolite,ou=services,dc=immae,dc=eu)(|(member=uid=${uid_param},ou=users,dc=immae,dc=eu)(member=uid=${uid_param},ou=group_users,dc=immae,dc=eu)))"
+ldap_result=$(ldapsearch ${ldap_options} -LLL "${ldap_filter}" cn | grep 'cn:' | cut -d' ' -f2)
+
+echo "$ldap_result"
diff --git a/systems/eldiron/gitolite/ldap_gitolite.sh b/systems/eldiron/gitolite/ldap_gitolite.sh
new file mode 100644
index 0000000..75a39bf
--- /dev/null
+++ b/systems/eldiron/gitolite/ldap_gitolite.sh
@@ -0,0 +1,28 @@
+### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
+LDAP_GITOLITE_MEMBER="@gitolite_ldap_group@"
+GITOLITE_SHELL="@gitolite_shell_path@"
+
+if [[ $user == gitolite ]]; then
+  allowed_logins=$(LDAP_BASE=$USER_LDAP_BASE \
+    ldap_search '(memberOf='$LDAP_GITOLITE_MEMBER')' '' \
+      | grep ^dn \
+      | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
+      | paste -sd,)
+
+  psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'git' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do
+    if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
+      # Capitalize first letter (backward compatibility)
+      user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
+    fi
+    if [ ! -z "$key" ]; then
+      if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+        echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
+        echo $key
+      fi
+    fi
+  done
+cat <<EOF
+@gitolite_services@
+EOF
+  exit 0
+fi
-- 
cgit v1.2.3