summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Set enable-http-clone=0 to avoid Cgit vulerabilityHEADmasterPedro Alvarez2018-08-151-0/+2
| | | | More information at https://nvd.nist.gov/vuln/detail/CVE-2018-14912
* Ensure services don't start before /var is mountedSam Thursfield2016-02-223-0/+15
| | | | | | | | | | I hit a strange issue after upgrading git.baserock.org where the wrong cgit.css stylesheet was being served. Restarting the lighttpd-git service fixed it. I suspect this might be to do with the service starting before the /var subvolume is mounted. I can't exactly prove it but this change seems sensible in any case. Change-Id: I535305da9ba6135851a38fd3d04c50876de99e21
* syntax-highlighting: Escape HTML special characters correctlySam Thursfield2016-02-191-7/+26
| | | | | | | | | | This fixes an issue where some .morph files wouldn't display correctly, because they'd contain a < character and the browser would think that this was a tag. I've added some docstrings as well. Change-Id: I3c7252319a06cac04880f8b20596003fde531609
* Add hyperlink filter script and reference in cgitrcLauren Perry2016-02-192-0/+368
| | | | Change-Id: I6f2a8f173ee31f6ab652bbcd9b93306555ebf5c2
* lighttpd: Improve SSL configurationPedro Alvarez2016-01-261-0/+3
| | | | Change-Id: I65e3386d5aec31a8bb8a02191b15ecc38ee33f43
* lighttpd: Only require HTTPS authentication for Gitano URLsPedro Alvarez2016-01-261-13/+20
| | | | | | | | | | | | | | | | | | | | | | | | Previously the whole of git.baserock.org was effectively inaccessible over HTTPS, because it would require a username and password for all HTTPS requests. This was done to ensure that we don't make Trove "insecure by default" by allowing access to hidden repos over anonymous HTTPS. Firstly, we only need to require auth for the actual Gitano URLs. The other ones (cgit, lc-status.html, releases) are identical over HTTP and HTTPS anyway, so there's no point in hiding them on one protocol but not the other. Also, I have now verified that Gitano's CGI scripts authenticate based on the REMOTE_USER variable set by mod_auth, and if this isn't set they treat the request as anonymous and correctly deny any requests that the anonymous user doesn't have permissions for. This is noted in a comment. The behaviour of Gitano-over-HTTPS in Trove should be completely unchanged by this commit, however. Change-Id: Ie5dbc3bd3ab8d37ef3e5c08c9541c571944e1f58
* Redirect cgi-bin/cgit.cgi/ from urls, replace it with cgit/Lauren Perry2016-01-253-1/+17
| | | | | | | | | This is much less typing and gives us neater URLs! The paths /baserock and /delta are also now specially redirected to /cgit/baserock and /cgit/delta, for the benefit of the extra-lazy. Change-Id: I9cda805c0a6134fb91595bbf8f3e74668d745327
* Allow tags to be pushed to the trove's own namespace in mirrored reposSam Thursfield2015-11-192-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | Previously, when Trove mirrored an upstream repo, it would allow users to push branches as long as they started with the trove-id. The intention is to keep local changes in a separate namespace that can co-exist with whatever branches the upstream repo has. This patch extends this to tags, so that users can push tags to refs/tags/{{ trove-id}}/whatever. This is necessary for the `morph anchor` command to work as expected when the 'ref' fields of some definitions point to tag objects. Git itself prevents pushing tags to 'refs/heads/...' so `morph anchor` must be configured to push them to 'refs/tags/...'. Without this patch, Gitano will prevent that as well, but with this patch, `morph anchor` should be usable. Repos in the Trove's own prefix (such as the baserock/ repos on git.baserock.org, or the foo-trove/ repos on a Trove with trove ID 'foo-trove') are the only ones not considered to be mirrors, and users can already push branches and tags wherever they want to in these repos. Change-Id: I06496ea6c5c57d3fae7e5750cf51e31bbd16d8d2
* Add .gitreview filePedro Alvarez2015-11-191-0/+5
| | | | Change-Id: I73131cfa5697d0da8a9aa38f9316721d6d8941f0
* lighttpd: Create handler for restarting servicesPedro Alvarez2015-11-192-19/+19
| | | | Change-Id: I193216280797e5453ab1606d6a8f83e27bd0a28e
* lighttpd: Format Ansible codePedro Alvarez2015-11-191-9/+28
| | | | Change-Id: I7c5561aeace4dc7ebdf4b86b3def8d8e64b9c217
* lighttpd: Add support for installing SSL certsPedro Alvarez2015-11-192-3/+26
| | | | Change-Id: I33c74dc19e5835c65740f483aae89a1e8e415f0c
* lighttpd: Remove unused variablesPedro Alvarez2015-11-191-2/+1
| | | | Change-Id: Icef0a0a7ed2d34007ed96ef582d61a62d0e5d38e
* Make anon read access override project rulesRichard Ipsum2015-06-241-5/+6
| | | | Change-Id: Ica0b1412ef402eaf2474288d54f1471f655d31c5
* Stop using regex_replace in 'creates' arguments.Pedro Alvarez2015-04-242-4/+8
| | | | | | | | | | Use the dict-form for the creates arguments, to avoid problems with strings interpolations. This solved problems on a Trove with TROVE_ID 'baserock-clone', because it wasn't recognising the already exsisting repositories. Change-Id: Ic613f732596aae9d81b0c17c8fd1e846d69f58db
* Merge branch 'sam/useless-settings'Sam Thursfield2015-03-122-13/+0
|\ | | | | | | | | Reviewed-By: Pedro Alvarez <pedro.alvarez@codethink.co.uk> Reviewed-By: Adam Coldrick <adam.coldrick@codethink.co.uk>
| * Remove lorry-controller settings that don't do anythingSam Thursfield2015-03-112-13/+0
| | | | | | | | | | These settings had a meaning for the old implementation of lorry-controller, but are ignored by the current implementation.
* | Merge branch 'baserock/pedroalvarez/systemd-v217'Pedro Alvarez2015-02-121-1/+9
|\ \ | |/ |/| | | | | Reviewed-By: Francisco Redondo Marchena <francisco.marchena@codethink.co.uk> Reviewed-By: Sam Thursfield <sam.thursfield@codethink.co.uk>
| * Changes needed to work with versions of systemd >= v215Pedro Alvarez2015-02-121-1/+9
|/ | | | | | The stderr string of the `systemctl enable` command has changed in the commit 749ebb2da4933de68bfaa4d6f6ffd9e4692ee547 of systemd. We use this string to trigger another Ansible task.
* Merge branch 'sam/remove-mason-hook'Sam Thursfield2015-02-046-133/+1
|\ | | | | | | | | Reviewed-By: Paul Sherwood <paul.sherwood@codethink.co.uk> Reviewed-By: Mike Smith <mike.smith@codethink.co.uk>
| * Remove all mention of Mason from trove-setupSam Thursfield2015-01-306-133/+1
|/ | | | | | | | | | | | | The Mason referred to here is the 1st version of the Mason continuous delivery tool. There have been no instances of this for two years. We have made two subsequent Mason implementations since then which don't require coupling in Trove in order to work. As well as removing unneeded configuration, this will fix the misleading warning that users see on Git pushes: remote: [git.baserock.org] Notifying Mason of changes... remote: [git.baserock.org] Notification failed somehow
* Merge branch 'sam/fix-upgrade-from-old-lc'Sam Thursfield2015-01-142-0/+24
|\ | | | | | | Reviewed-By: Pedro Alvarez <pedro.alvarez@codethink.co.uk>
| * Re-add remove-lorry-controller-from-lorry-crontab scriptSam Thursfield2015-01-142-0/+24
|/ | | | | This is still referenced in the trove-setup Ansible scripts, so it shouldn't have been removed.
* Merge branch 'baserock/pedroalvarez/old-jobs-removal'Pedro Alvarez2014-10-231-0/+14
|\ | | | | | | | | Reviewed-by: Richard Maw Reviewed-by: Pedro Alvarez
| * Enable Lorry Controller's new old job removal unitsbaserock/pedroalvarez/old-jobs-removalLars Wirzenius2014-10-221-0/+14
|/
* Make http the default upstream protocolbaserock/richardipsum/default-upstream-proto-httpRichard Ipsum2014-09-181-1/+1
|
* Merge branch 'baserock/pedroalvarez/allow-empty-upstream-trove3'Pedro Alvarez2014-09-174-25/+24
|\ | | | | | | | | Reviewed-by: Richard Maw Reviewed-by: Lars Wirzenius
| * Allow the configuration of troves without UPSTREAM_TROVEPedro Alvarez2014-09-174-25/+24
|/ | | | | | | Now UPSTREAM_TROVE is not mandatory to configure a Trove, and if the value is not set, then the configuration of the lorry controller (lorry-controller.conf) won't include any configuration for an upstream Trove.
* Merge branch 'baserock/liw/de-ghost'Lars Wirzenius2014-09-081-0/+15
|\
| * Enable the lorry-controller-remove-ghost-jobs service / timerbaserock/liw/de-ghostPedro Alvarez2014-09-081-0/+15
|/
* Merge remote-tracking branch 'origin/baserock/michaeldrake/mason-devel'Richard Maw2014-08-052-1/+4
|\ | | | | | | Reviewed-by: Lars Wirzenius
| * Allow Trove mirroring protocol to be set at deployment timebaserock/michaeldrake/mason-develMichael Drake2014-08-052-1/+4
|/ | | | | | This allows downstream troves that only need to access publically available content to be able to operate without configuring ssh keys on the upstream trove.
* Merge branch 'baserock/pedroalvarez/trove-ansible3'Pedro Alvarez2014-07-1463-343/+716
|\ | | | | | | | | Reviewed-by: Richard Maw Reviewed-by: Lars Wirzenius
| * Update skel path of gitanoPedro Alvarez2014-07-141-0/+1
| |
| * Install Ansible scripts and create a unit to run themPedro Alvarez2014-07-142-0/+18
| |
| * Add Ansible scriptsPedro Alvarez2014-07-1421-0/+640
| |
| * Add new resources needed to configure the lorry-controllerPedro Alvarez2014-07-092-0/+18
| | | | | | | | They where generated in trove.configure before.
| * Add 'Install' section to the unitsPedro Alvarez2014-07-093-0/+9
| |
| * Do not enable the units when installing.Pedro Alvarez2014-07-071-3/+1
| | | | | | | | | | | | They aren't eligible to be started until they are configured, and Ansible handles both the initial start, and configuring them to start automatically on next boot.
| * Change placeholders to jinja placeholdersPedro Alvarez2014-06-2714-28/+28
| |
| * Move template files from /etc to shares/trove-setup/etcPedro Alvarez2014-06-173-0/+0
| |
| * Move gitano skeleton to /usr/share/trove-setup/Pedro Alvarez2014-06-1724-2/+0
| |
| * Remove old scripts and unitsPedro Alvarez2014-06-176-309/+0
|/
* Merge branch 'baserock/liw/new-lc-2'Lars Wirzenius2014-04-236-46/+83
|\ | | | | | | | | | | | | | | Reviewed by Daniel and Richard on the mailing list, and further changes based on review feedback by Richard on IRC. Reviewed-by: Richard Maw Reviewed-by: Daniel Silverstone
| * Make lorry log to stdoutbaserock/liw/new-lc-2Lars Wirzenius2014-04-231-0/+2
| | | | | | | | | | This will make the output be even more verbose for Trove's Lorry Controller.
| * Add unit for modifying lorry crontabLars Wirzenius2014-04-231-0/+13
| |
| * Add script to remove lorry-controller from lorry's crontabLars Wirzenius2014-04-232-0/+24
| |
| * Expands TABs in share/lorry-controller.confLars Wirzenius2014-04-101-42/+42
| |
| * Add a symlink to the LC static files into htdocsLars Wirzenius2014-04-101-0/+1
| |
| * Set trovehost in lorry-controller.conf to $UPSTREAM_TROVELars Wirzenius2014-04-101-2/+2
| |