Git repo(s)

[kraileth]

We now have a working git server for testing purposes (do with it as you please but don't put anything important there as that jail will be destroyed and rebuilt later!). It's located in an automatically created (using SaltStack) jail on the virtual server that is meant to become the EU mirror in the future. That jail uses a program called Gitolite to manage the repos. (That "admin_key" is currently mine; it will have the proper name when I rebuild the jail.)

Here's a quick guide on how to work with the repos
------------------------------------------------------------------------

First clone a repo called "gitolite-admin" to your workstation:

Code: Select all

% git clone ssh://git@212.77.245.35:220/gitolite-admin

This repo is used to control the whole thing, no need to actually log into the jail (except for deleting repos which has to be done by hand). First take a look at what you cloned. It has the following structure:

Code: Select all

.
├── conf
│   └── gitolite.conf
└── keydir
    ├── admin_key.pub
    ├── asx.pub
    └── ericbsd.pub

To add any new user, simply place a .pub file containing an SSH key into the "keydir" directory, git add, git commit and git push. Gitolite will automatically create the new user then (with a username that matches the filename without the extension).

And then there's gitolite.conf in the conf dir. This is what controls the repos.

Want Gitolite to create a new repo called "somename"? Just add a line to the configuration:

Code: Select all

repo somename

Then again: Add, commit and push. That's all.

Below each repo you assign permissions like this:

Code: Select all

repo example
    RW+     =   ericbsd
    RW       =   asx
    R           =   kraileth

In this example I (if my key was named correctly...) wold be allowed to clone the repo but not to do anything else. ASX could clone it, change things and push changes. And Eric could do all that and even has the power to delete files (that's the "+" privilege).

We can also define groups. Group definitions start with an @ and then you assign members. The group "@all" is implicit and can be used even without defining it. I've added a group called "staff":

Code: Select all

@staff	=	ericbsd, asx, admin_key

Well, that's actually the basics already. There's not much more to know to use it. Happy testing (and let me know if you find out anything)!

[ericbsd]

Nah no keys​ in a git repository I did not ask for that, and I do not agree to that.

[kraileth]

Nah no keys​ in a git repository I did not ask for that, and I do not agree to that.

Do you want me to remove your keys again?

[ericbsd]

The fact is I do not want git repository for ssh keys.

[kraileth]

The fact is I do not want git repository for ssh keys.

Would you mind to explain why? It's only the public keys - what's wrong with that? With Gitolite Git is operating over SSH and it makes sense to use SSH keys with that. I don't know of any other possibility since multiple persons have to have access and it's thus impossible to use passwords. The only alternative I can think of is setting up an instance of Gitlab - bit that is quite a massive application (both considering the time to set it up and resource-wise). And even there it is the default behavior the upload your SSH key to get access...

[ericbsd]

First I don't see the point to have git on our Servers since the development of GhostBSD is on GitHub.

Second I do not intend to have more people working on servers at the moment.

Third I do not need my key on the mirror because I do not plan to invest time on mirrors, I am not gonna take care of mirrors, since mirrors would be most third party.

When it come to have git repository on the web and build servers I strongly disagree. no matter what is your point to do so the web server and pkg build/repository server should be only use for their dedicated purpose.

I have no idea what is ASX opinion on that, but I have mine made up.

When it come for mirrors mirrors you can do what you want there you can add git if you want.

[ASX]

I have no idea what is ASX opinion on that, but I have mine made up.

Well, I had the chance to discuss about that on IRC with kraileth, it turned out to be a misunderstaning about what the git was intended for:

kraileth meant to use that a private repository for saltstack
me was thinking at a public repo ... probably you too.

We had completely different things in our minds ...

Partly because of the above misunderstanding I asked to add access to the EU mirror:
viewtopic.php?f=97&t=634&start=10#p3385
generally speaking I was interested about EU mirror details, not in git itself.

[kraileth]

First I don't see the point to have git on our Servers since the development of GhostBSD is on GitHub.

Ah, there we are. I wrote about what I want / need that git repo for before but I guess you missed it. It's not meant to replace the repositories on GitHub. It's an additional service for internal use, private repositories that will hold data that cannot or should not be made public. It will be the git backend for SaltStack and it will contain internal documentation (server roles and things like that which hold information that potential attackers shouldn't gain).

Second I do not intend to have more people working on servers at the moment.

That's fine. More users can be added but us three should totally be sufficient. I'm trying to get things automated as far as it makes sense so that we don't need more people to take care for infrastructure. You've already stated that you're not really enjoying administration tasks; I'm trying to spare you that work as much as possible.

Third I do not need my key on the mirror because I do not plan to invest time on mirrors, I am not gonna take care of mirrors, since mirrors would be most third party.

The (future) mirror is only currently holding the git server. I've written a bootstrap state file which can rebuild the exact same thing on any other server at any time (in a couple of minutes without manual invention). The key is used only to access the git repos. But if you don't want access to those it's not strictly required. I just thought that you, being the project leader, should have full access, too.

When it come to have git repository on the web and build servers I strongly disagree. no matter what is your point to do so the web server and pkg build/repository server should be only use for their dedicated purpose.

Sorry, this is another misunderstanding. There's definitely no need for git repositories hosted on any of these machines - the git server simply has to be on one single machine (and I don't care which one). The only thing that my concept requires is that py27-salt is installed on each server and a minion has a basic configuration (a couple of lines). Having the minion daemon running makes things easier but running it only when needed is also possible. This will allow to apply states (which will be hosted on the private git repo so they are versioned correctly and nobody can see what our server setup looks like, how we configure our firewall, etc.). Those will then allow to automatically create and manage jails with various services - like the mailer that I promised you to look into.

[ericbsd]

Now that's​ it is more clear it make a bit more sense.

About mirrors I do not need access to it. Basically I consider mirrors as third party which, it would be great if we have documentation how to do a mirror like the mirror you are doing.