From e925453eab7024b5f169bbeef6a281c9952b1d30 Mon Sep 17 00:00:00 2001
From: Luke Hoersten <luke@hoersten.org>
Date: Sun, 5 Apr 2026 15:50:31 -0500
Subject: Add git/aws-s3-backup and git/web (cgit) roles

---
 .../files/git-s3-backup-lifecycle.json             | 12 +++++++
 git/aws-s3-backup/files/git-s3-backup.sh           | 14 ++++++++
 git/aws-s3-backup/handlers/main.yaml               |  5 +++
 git/aws-s3-backup/meta/main.yaml                   |  4 +++
 git/aws-s3-backup/tasks/main.yaml                  | 26 +++++++++++++++
 .../templates/git-s3-backup@.service.j2            |  9 +++++
 git/web/handlers/main.yaml                         |  9 +++++
 git/web/tasks/main.yaml                            | 33 +++++++++++++++++++
 git/web/templates/cgit.nginx.conf.j2               | 38 ++++++++++++++++++++++
 git/web/templates/cgitrc.j2                        | 18 ++++++++++
 .../aws-s3-backup/files/mercurial-s3-backup.sh     |  9 ++---
 mercurial/aws-s3-backup/tasks/main.yaml            |  2 +-
 12 files changed, 174 insertions(+), 5 deletions(-)
 create mode 100644 git/aws-s3-backup/files/git-s3-backup-lifecycle.json
 create mode 100644 git/aws-s3-backup/files/git-s3-backup.sh
 create mode 100644 git/aws-s3-backup/handlers/main.yaml
 create mode 100644 git/aws-s3-backup/meta/main.yaml
 create mode 100644 git/aws-s3-backup/tasks/main.yaml
 create mode 100644 git/aws-s3-backup/templates/git-s3-backup@.service.j2
 create mode 100644 git/web/handlers/main.yaml
 create mode 100644 git/web/tasks/main.yaml
 create mode 100644 git/web/templates/cgit.nginx.conf.j2
 create mode 100644 git/web/templates/cgitrc.j2

diff --git a/git/aws-s3-backup/files/git-s3-backup-lifecycle.json b/git/aws-s3-backup/files/git-s3-backup-lifecycle.json
new file mode 100644
index 0000000..44036c0
--- /dev/null
+++ b/git/aws-s3-backup/files/git-s3-backup-lifecycle.json
@@ -0,0 +1,12 @@
+{
+	 "Rules": [
+		  {
+				"ID": "expiration",
+				"Filter": {},
+				"Status": "Enabled",
+				"NoncurrentVersionExpiration": {
+					 "NoncurrentDays": 30
+				}
+		  }
+	 ]
+}
diff --git a/git/aws-s3-backup/files/git-s3-backup.sh b/git/aws-s3-backup/files/git-s3-backup.sh
new file mode 100644
index 0000000..c6dbcf1
--- /dev/null
+++ b/git/aws-s3-backup/files/git-s3-backup.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+BUCKET=$1
+BACKUP_DIR=$2
+DATE=$(date +%Y-%m-%d)
+BACKUP_TAR=$(mktemp /tmp/git-s3-backup.XXXXXX.tgz)
+
+tar -zc -f "$BACKUP_TAR" "$BACKUP_DIR"
+aws s3 mb "s3://$BUCKET/"
+aws s3api put-bucket-versioning --bucket "$BUCKET" --versioning-configuration Status=Enabled
+aws s3api put-bucket-lifecycle-configuration --bucket "$BUCKET" --lifecycle-configuration "file:///usr/local/share/git-s3-backup-lifecycle.json"
+aws s3 cp "$BACKUP_TAR" "s3://$BUCKET/git-s3-backup-$DATE.tgz"
+
+rm "$BACKUP_TAR"
diff --git a/git/aws-s3-backup/handlers/main.yaml b/git/aws-s3-backup/handlers/main.yaml
new file mode 100644
index 0000000..e61f79b
--- /dev/null
+++ b/git/aws-s3-backup/handlers/main.yaml
@@ -0,0 +1,5 @@
+---
+
+- name: reload git s3 backup service
+  systemd: name="git-s3-backup@{{git_s3_backup_bucket}}.service" enabled="yes" daemon_reload="yes"
+  become: yes
diff --git a/git/aws-s3-backup/meta/main.yaml b/git/aws-s3-backup/meta/main.yaml
new file mode 100644
index 0000000..f9c6f63
--- /dev/null
+++ b/git/aws-s3-backup/meta/main.yaml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - aws-s3-backup
diff --git a/git/aws-s3-backup/tasks/main.yaml b/git/aws-s3-backup/tasks/main.yaml
new file mode 100644
index 0000000..85c3d17
--- /dev/null
+++ b/git/aws-s3-backup/tasks/main.yaml
@@ -0,0 +1,26 @@
+---
+
+- name: create git s3 backup shell script
+  become: yes
+  copy:
+    src: "git-s3-backup.sh"
+    dest: "/usr/local/bin/git-s3-backup.sh"
+    mode: "0755"
+
+- name: create s3 backup lifecycle json file
+  become: yes
+  copy:
+    src: "git-s3-backup-lifecycle.json"
+    dest: "/usr/local/share/git-s3-backup-lifecycle.json"
+    mode: "0644"
+
+- name: configure git s3 backup systemd service
+  become: yes
+  template:
+    src: "git-s3-backup@.service.j2"
+    dest: "/lib/systemd/system/git-s3-backup@{{git_s3_backup_bucket}}.service"
+  notify: reload git s3 backup service
+
+- name: ensure git s3 backup service is started
+  become: yes
+  systemd: name="git-s3-backup@{{git_s3_backup_bucket}}.service" enabled="yes" state="started"
diff --git a/git/aws-s3-backup/templates/git-s3-backup@.service.j2 b/git/aws-s3-backup/templates/git-s3-backup@.service.j2
new file mode 100644
index 0000000..0d94943
--- /dev/null
+++ b/git/aws-s3-backup/templates/git-s3-backup@.service.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Git s3 backup for "%I"
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/git-s3-backup.sh %i "{{git_s3_backup_dir}}"
+
+[Install]
+WantedBy=aws-s3-backup.target
diff --git a/git/web/handlers/main.yaml b/git/web/handlers/main.yaml
new file mode 100644
index 0000000..ef1d787
--- /dev/null
+++ b/git/web/handlers/main.yaml
@@ -0,0 +1,9 @@
+---
+
+- name: restart fcgiwrap
+  systemd: name="fcgiwrap.service" enabled="yes" daemon_reload="yes" state="restarted"
+  become: yes
+
+- name: restart nginx
+  systemd: name="nginx.service" state="restarted"
+  become: yes
diff --git a/git/web/tasks/main.yaml b/git/web/tasks/main.yaml
new file mode 100644
index 0000000..58a2005
--- /dev/null
+++ b/git/web/tasks/main.yaml
@@ -0,0 +1,33 @@
+---
+
+- name: apt install cgit and fcgiwrap
+  become: yes
+  apt: name="{{item}}"
+  loop:
+    - "cgit"
+    - "fcgiwrap"
+    - "git"
+    - "python3-pygments"
+  notify: restart fcgiwrap
+
+- name: configure cgit
+  become: yes
+  template: src="cgitrc.j2" dest="/etc/cgitrc"
+  notify: restart fcgiwrap
+
+- name: install cgit nginx site
+  become: yes
+  template: src="cgit.nginx.conf.j2" dest="/etc/nginx/sites-available/cgit.conf"
+  notify: restart nginx
+
+- name: enable cgit nginx site
+  become: yes
+  file:
+    src:  "/etc/nginx/sites-available/cgit.conf"
+    dest: "/etc/nginx/sites-enabled/cgit.conf"
+    state: "link"
+  notify: restart nginx
+
+- name: ensure fcgiwrap service is started
+  become: yes
+  systemd: name="fcgiwrap.service" enabled="yes" state="started"
diff --git a/git/web/templates/cgit.nginx.conf.j2 b/git/web/templates/cgit.nginx.conf.j2
new file mode 100644
index 0000000..0ddbe38
--- /dev/null
+++ b/git/web/templates/cgit.nginx.conf.j2
@@ -0,0 +1,38 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{nginx_server_name}};
+    return 301 https://{{nginx_server_name}}$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name {{nginx_server_name}};
+
+    ssl_certificate {{nginx_ssl_cert}};
+    ssl_certificate_key {{nginx_ssl_privkey}};
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    root /usr/share/cgit;
+
+    try_files $uri @cgit;
+
+    location @cgit {
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
+        fastcgi_param PATH_INFO $uri;
+        fastcgi_param QUERY_STRING $query_string;
+        fastcgi_param HTTP_HOST $server_name;
+        fastcgi_pass unix:/run/fcgiwrap.socket;
+    }
+}
diff --git a/git/web/templates/cgitrc.j2 b/git/web/templates/cgitrc.j2
new file mode 100644
index 0000000..6c1a7ff
--- /dev/null
+++ b/git/web/templates/cgitrc.j2
@@ -0,0 +1,18 @@
+remove-suffix=1
+
+root-title=src.nth.io
+root-desc=Git repositories
+
+difftype=ssdiff
+
+enable-http-clone=1
+enable-index-links=1
+enable-log-filecount=1
+enable-log-linecount=1
+
+source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
+about-filter=/usr/lib/cgit/filters/about-formatting.sh
+
+{% for repo in cgit_repos %}
+repo.path={{cgit_repos_dir}}{{repo}}.git
+{% endfor %}
diff --git a/mercurial/aws-s3-backup/files/mercurial-s3-backup.sh b/mercurial/aws-s3-backup/files/mercurial-s3-backup.sh
index 7317a36..f86c118 100644
--- a/mercurial/aws-s3-backup/files/mercurial-s3-backup.sh
+++ b/mercurial/aws-s3-backup/files/mercurial-s3-backup.sh
@@ -2,12 +2,13 @@
 
 BUCKET=$1
 BACKUP_DIR=$2
-BACKUP_TAR="/tmp/$BUCKET.tgz"
+DATE=$(date +%Y-%m-%d)
+BACKUP_TAR=$(mktemp /tmp/mercurial-s3-backup.XXXXXX.tgz)
 
-tar -zc -f $BACKUP_TAR $BACKUP_DIR
+tar -zc -f "$BACKUP_TAR" "$BACKUP_DIR"
 aws s3 mb "s3://$BUCKET/"
 aws s3api put-bucket-versioning --bucket "$BUCKET" --versioning-configuration Status=Enabled
 aws s3api put-bucket-lifecycle-configuration --bucket "$BUCKET" --lifecycle-configuration "file:///usr/local/share/mercurial-s3-backup-lifecycle.json"
-aws s3 cp $BACKUP_TAR "s3://$BUCKET/"
+aws s3 cp "$BACKUP_TAR" "s3://$BUCKET/mercurial-s3-backup-$DATE.tgz"
 
-rm $BACKUP_TAR
+rm "$BACKUP_TAR"
diff --git a/mercurial/aws-s3-backup/tasks/main.yaml b/mercurial/aws-s3-backup/tasks/main.yaml
index a476303..d547aa2 100644
--- a/mercurial/aws-s3-backup/tasks/main.yaml
+++ b/mercurial/aws-s3-backup/tasks/main.yaml
@@ -12,7 +12,7 @@
   copy:
     src: "mercurial-s3-backup-lifecycle.json"
     dest: "/usr/local/share/mercurial-s3-backup-lifecycle.json"
-    mode: "0755"
+    mode: "0644"
 
 - name: configure mercurial s3 backup systemd service
   become: yes
-- 
cgit v1.2.3