Add git/aws-s3-backup and git/web (cgit) roles

author: Luke Hoersten <[email protected]> 2026-04-05 15:50:31 -0500
committer: Luke Hoersten <[email protected]> 2026-04-05 15:50:31 -0500
commit: e925453eab7024b5f169bbeef6a281c9952b1d30 (patch)
tree: af53745934dd462930c33a0f38530752d8e1c4fc /git/web
parent: 55e55db9154e80aec134eef17d9d883d0213d4c4 (diff)
4 files changed, 98 insertions, 0 deletions
diff --git a/git/web/handlers/main.yaml b/git/web/handlers/main.yaml
new file mode 100644
index 0000000..ef1d787
--- /dev/null
+++ b/git/web/handlers/main.yaml
@@ -0,0 +1,9 @@
+---
+
+- name: restart fcgiwrap
+  systemd: name="fcgiwrap.service" enabled="yes" daemon_reload="yes" state="restarted"
+  become: yes
+
+- name: restart nginx
+  systemd: name="nginx.service" state="restarted"
+  become: yes
diff --git a/git/web/tasks/main.yaml b/git/web/tasks/main.yaml
new file mode 100644
index 0000000..58a2005
--- /dev/null
+++ b/git/web/tasks/main.yaml
@@ -0,0 +1,33 @@
+---
+
+- name: apt install cgit and fcgiwrap
+  become: yes
+  apt: name="{{item}}"
+  loop:
+    - "cgit"
+    - "fcgiwrap"
+    - "git"
+    - "python3-pygments"
+  notify: restart fcgiwrap
+
+- name: configure cgit
+  become: yes
+  template: src="cgitrc.j2" dest="/etc/cgitrc"
+  notify: restart fcgiwrap
+
+- name: install cgit nginx site
+  become: yes
+  template: src="cgit.nginx.conf.j2" dest="/etc/nginx/sites-available/cgit.conf"
+  notify: restart nginx
+
+- name: enable cgit nginx site
+  become: yes
+  file:
+    src:  "/etc/nginx/sites-available/cgit.conf"
+    dest: "/etc/nginx/sites-enabled/cgit.conf"
+    state: "link"
+  notify: restart nginx
+
+- name: ensure fcgiwrap service is started
+  become: yes
+  systemd: name="fcgiwrap.service" enabled="yes" state="started"
diff --git a/git/web/templates/cgit.nginx.conf.j2 b/git/web/templates/cgit.nginx.conf.j2
new file mode 100644
index 0000000..0ddbe38
--- /dev/null
+++ b/git/web/templates/cgit.nginx.conf.j2
@@ -0,0 +1,38 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{nginx_server_name}};
+    return 301 https://{{nginx_server_name}}$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name {{nginx_server_name}};
+
+    ssl_certificate {{nginx_ssl_cert}};
+    ssl_certificate_key {{nginx_ssl_privkey}};
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    root /usr/share/cgit;
+
+    try_files $uri @cgit;
+
+    location @cgit {
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
+        fastcgi_param PATH_INFO $uri;
+        fastcgi_param QUERY_STRING $query_string;
+        fastcgi_param HTTP_HOST $server_name;
+        fastcgi_pass unix:/run/fcgiwrap.socket;
+    }
+}
diff --git a/git/web/templates/cgitrc.j2 b/git/web/templates/cgitrc.j2
new file mode 100644
index 0000000..6c1a7ff
--- /dev/null
+++ b/git/web/templates/cgitrc.j2
@@ -0,0 +1,18 @@
+remove-suffix=1
+
+root-title=src.nth.io
+root-desc=Git repositories
+
+difftype=ssdiff
+
+enable-http-clone=1
+enable-index-links=1
+enable-log-filecount=1
+enable-log-linecount=1
+
+source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
+about-filter=/usr/lib/cgit/filters/about-formatting.sh
+
+{% for repo in cgit_repos %}
+repo.path={{cgit_repos_dir}}{{repo}}.git
+{% endfor %}
author	Luke Hoersten <[email protected]>	2026-04-05 15:50:31 -0500
committer	Luke Hoersten <[email protected]>	2026-04-05 15:50:31 -0500
commit	e925453eab7024b5f169bbeef6a281c9952b1d30 (patch)
tree	af53745934dd462930c33a0f38530752d8e1c4fc /git/web
parent	55e55db9154e80aec134eef17d9d883d0213d4c4 (diff)