gitolite/src/gl-setup

#!/bin/sh

GL_PACKAGE_CONF=/tmp/share/gitolite/conf
# must be the same as the value for the same variable in
# $GL_PACKAGE_CONF/example.gitolite.rc.  Sorry about the catch-22 :)

# TODO need to fix for portability to ksh and so on
# TODO need to get the version in there somehow

# This program is meant to be completely non-interactive, suitable for running
# server-side from a "post RPM/DEB install" script, or manually by users.

# usage:
#   $0 [foo.pub]

# The pubkey filename must end with ".pub" and is mandatory when you first run
# this command.  Otherwise it is optional, and can be used to override a
# pubkey file if you happen to have lost all gitolite-access to the repos (but
# do have shell access via some other means)

die() { echo "$@" >&2; exit 1; }

get_rc_val() {
    `dirname $0`/gl-query-rc $1
}

TEMPDIR=`mktemp -d -t tmp.XXXXXXXXXX`
export TEMPDIR
trap "/bin/rm -rf $TEMPDIR" 0

# quiet mode; only used to suppress popping up an editor on a new rc file
if [ "$1" = "-q" ]
then
    shift
    quiet=1
fi

if [ -n "$GITOLITE_HTTP_HOME" ]
then
    HOME=$GITOLITE_HTTP_HOME
    admin_name=$1
else
    pubkey_file=$1
    admin_name=
    if [ -n "$pubkey_file" ]
    then
        echo $pubkey_file | grep '.pub$' >/dev/null || die "$pubkey_file must end in .pub"
        [ -f $pubkey_file ] || die "cant find $pubkey_file"
        admin_name=` basename $pubkey_file .pub`
        echo $admin_name | grep '@' >/dev/null && die "please don't use '@' in the initial admin name"
    fi
fi

export GL_RC
GL_RC=`get_rc_val GL_RC 2>/dev/null`
[ -z "$GL_RC" ] && GL_RC=$HOME/.gitolite.rc

if [ -f $GL_RC ]
then
    print_rc_vars() {
        perl -ne 's/^\s+//; s/[\s=].*//; print if /^\$/;' < $1 | sort
    }
    print_rc_vars $GL_PACKAGE_CONF/example.gitolite.rc > $TEMPDIR/.newvars
    print_rc_vars $GL_RC                               > $TEMPDIR/.oldvars
    comm -23 $TEMPDIR/.newvars $TEMPDIR/.oldvars > $TEMPDIR/.diffvars
    if [ -s $TEMPDIR/.diffvars ]
    then
        cp $GL_PACKAGE_CONF/example.gitolite.rc $HOME/.gitolite.rc.new
        echo new version of the rc file saved in $HOME/.gitolite.rc.new
        echo
        echo please update $GL_RC manually if you need features
        echo controlled by any of the following variables:
        echo ----
        sed -e 's/^/    /' < $TEMPDIR/.diffvars
        echo ----
    fi
else
    [ -n "$GITOLITE_HTTP_HOME" ] || [ -n "$pubkey_file" ] || die "looks like first run -- I need a pubkey file"
    [ -z "$GITOLITE_HTTP_HOME" ] || [ -n "$admin_name"  ] || die "looks like first run -- I need an admin name"

    cp $GL_PACKAGE_CONF/example.gitolite.rc $GL_RC
    if [ -z "$quiet" ]
    then
        printf "The default settings in the "rc" file ($GL_RC) are fine for most\n"
        printf "people but if you wish to make any changes, you can do so now.\n\nhit enter..."
        read i
        ${EDITOR:-vi} $GL_RC
    fi
fi

# setup ssh stuff.  We break our normal rule that we will not fiddle with
# authkeys etc., because in this case it seems appropriate
(
    cd $HOME
    mkdir -p .ssh
    chmod go-rwx .ssh
    touch .ssh/authorized_keys
    chmod go-w . .ssh .ssh/authorized_keys
)

export GL_BINDIR
export REPO_BASE
export GL_ADMINDIR
GL_BINDIR=`  get_rc_val GL_BINDIR  `
REPO_BASE=`  get_rc_val REPO_BASE  `
GL_ADMINDIR=`get_rc_val GL_ADMINDIR`

# now we get to gitolite itself

gl-install -q

[ -f $GL_ADMINDIR/conf/gitolite.conf ] || {
    cat <<EOF | cut -c9- > $GL_ADMINDIR/conf/gitolite.conf
        repo    gitolite-admin
                RW+     =   $admin_name

        repo    testing
                RW+     =   @all
EOF
}
[ -n "$pubkey_file" ] && cp $pubkey_file $GL_ADMINDIR/keydir

touch $HOME/.ssh/authorized_keys
gl-compile-conf -q

# setup push-to-admin
[ -n "$pubkey_file" ] && (
    cd $HOME; cd $REPO_BASE/gitolite-admin.git
    GIT_WORK_TREE=$GL_ADMINDIR; export GIT_WORK_TREE
    git add conf/gitolite.conf keydir
    git config --get user.email >/dev/null || git config user.email $USER@`hostname`
    git config --get user.name  >/dev/null || git config user.name  "$USER on `hostname`"
    git diff --cached --quiet 2>/dev/null || git commit -am start
)

# now that the admin repo is created, you have to set the hooks properly; best
# do it by running install again
gl-install -q

# ----

# the never-ending quest to help with bloody ssh issues...
cd $GL_ADMINDIR/keydir
[ -n "$pubkey_file" ] && $GL_BINDIR/sshkeys-lint -q -a $admin_name < $HOME/.ssh/authorized_keys

exit 0
added server-side setup script 2010-02-08 15:31:14 +01:00			`#!/bin/sh`

			`GL_PACKAGE_CONF=/tmp/share/gitolite/conf`
			`# must be the same as the value for the same variable in`
			`# $GL_PACKAGE_CONF/example.gitolite.rc. Sorry about the catch-22 :)`

			`# TODO need to fix for portability to ksh and so on`
			`# TODO need to get the version in there somehow`

			`# This program is meant to be completely non-interactive, suitable for running`
			`# server-side from a "post RPM/DEB install" script, or manually by users.`

			`# usage:`
			`# $0 [foo.pub]`

			`# The pubkey filename must end with ".pub" and is mandatory when you first run`
			`# this command. Otherwise it is optional, and can be used to override a`
			`# pubkey file if you happen to have lost all gitolite-access to the repos (but`
			`# do have shell access via some other means)`

It's official now; Solaris sh is brain dead... For example, this program #!/bin/sh die() { echo die called with $1; exit 1; } >&2 die foo die bar will print both those messages! I honestly don't care if this is posix or not, but it is BRAIN DEAD for the ">&2" to change the meaning from {} to () Oh and the grep thing is even worse. echo foo \| grep ^/ works fine in an interactive shell but in a script it attempts to execute "/", complains, while simultaneously complaining about usage of grep. It's almost like it's treating ^ like \| 2011-10-20 12:10:17 +02:00			`die() { echo "$@" >&2; exit 1; }`
added server-side setup script 2010-02-08 15:31:14 +01:00
gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`get_rc_val() {`
some more bashisms fixed... 2011-10-16 14:02:30 +02:00			`dirname $0`/gl-query-rc $1
gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`}`

I forgot I still have Solaris users... change some obvious bashisms. There may be more, however, so if you find them, let me know. 2011-10-04 10:01:44 +02:00			TEMPDIR=`mktemp -d -t tmp.XXXXXXXXXX`
gl-setup should not assume $PWD is writable noticed by idl0r when running it via cfengine 2010-11-04 08:54:41 +01:00			`export TEMPDIR`
			`trap "/bin/rm -rf $TEMPDIR" 0`
(http) gl-setup changes... - only admin name needed, not pubkey file - setup HOME from GITOLITE_HTTP_HOME 2010-09-05 15:18:29 +02:00
(minor) gl-setup learns "-q" suppresses popping an editor when run for the first time 2011-01-16 10:12:11 +01:00			`# quiet mode; only used to suppress popping up an editor on a new rc file`
			`if [ "$1" = "-q" ]`
			`then`
			`shift`
			`quiet=1`
			`fi`

(http) gl-setup changes... - only admin name needed, not pubkey file - setup HOME from GITOLITE_HTTP_HOME 2010-09-05 15:18:29 +02:00			`if [ -n "$GITOLITE_HTTP_HOME" ]`
added server-side setup script 2010-02-08 15:31:14 +01:00			`then`
(http) gl-setup changes... - only admin name needed, not pubkey file - setup HOME from GITOLITE_HTTP_HOME 2010-09-05 15:18:29 +02:00			`HOME=$GITOLITE_HTTP_HOME`
			`admin_name=$1`
			`else`
			`pubkey_file=$1`
			`admin_name=`
			`if [ -n "$pubkey_file" ]`
			`then`
			`echo $pubkey_file \| grep '.pub$' >/dev/null \|\| die "$pubkey_file must end in .pub"`
			`[ -f $pubkey_file ] \|\| die "cant find $pubkey_file"`
			admin_name=` basename $pubkey_file .pub`
			`echo $admin_name \| grep '@' >/dev/null && die "please don't use '@' in the initial admin name"`
			`fi`
added server-side setup script 2010-02-08 15:31:14 +01:00			`fi`

gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`export GL_RC`
I forgot I still have Solaris users... change some obvious bashisms. There may be more, however, so if you find them, let me know. 2011-10-04 10:01:44 +02:00			GL_RC=`get_rc_val GL_RC 2>/dev/null`
gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`[ -z "$GL_RC" ] && GL_RC=$HOME/.gitolite.rc`

			`if [ -f $GL_RC ]`
added server-side setup script 2010-02-08 15:31:14 +01:00			`then`
gl-setup: Replace similar long one-liners with functions 2010-11-18 19:22:26 +01:00			`print_rc_vars() {`
			`perl -ne 's/^\s+//; s/[\s=].*//; print if /^\$/;' < $1 \| sort`
			`}`
			`print_rc_vars $GL_PACKAGE_CONF/example.gitolite.rc > $TEMPDIR/.newvars`
gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`print_rc_vars $GL_RC > $TEMPDIR/.oldvars`
gl-setup should not assume $PWD is writable noticed by idl0r when running it via cfengine 2010-11-04 08:54:41 +01:00			`comm -23 $TEMPDIR/.newvars $TEMPDIR/.oldvars > $TEMPDIR/.diffvars`
			`if [ -s $TEMPDIR/.diffvars ]`
added server-side setup script 2010-02-08 15:31:14 +01:00			`then`
we're getting a nice solaris workout after a long time :) 2010-03-30 14:23:40 +02:00			`cp $GL_PACKAGE_CONF/example.gitolite.rc $HOME/.gitolite.rc.new`
			`echo new version of the rc file saved in $HOME/.gitolite.rc.new`
added server-side setup script 2010-02-08 15:31:14 +01:00			`echo`
gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`echo please update $GL_RC manually if you need features`
added server-side setup script 2010-02-08 15:31:14 +01:00			`echo controlled by any of the following variables:`
			`echo ----`
gl-setup should not assume $PWD is writable noticed by idl0r when running it via cfengine 2010-11-04 08:54:41 +01:00			`sed -e 's/^/ /' < $TEMPDIR/.diffvars`
added server-side setup script 2010-02-08 15:31:14 +01:00			`echo ----`
			`fi`
			`else`
(http) gl-setup changes... - only admin name needed, not pubkey file - setup HOME from GITOLITE_HTTP_HOME 2010-09-05 15:18:29 +02:00			`[ -n "$GITOLITE_HTTP_HOME" ] \|\| [ -n "$pubkey_file" ] \|\| die "looks like first run -- I need a pubkey file"`
			`[ -z "$GITOLITE_HTTP_HOME" ] \|\| [ -n "$admin_name" ] \|\| die "looks like first run -- I need an admin name"`

gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`cp $GL_PACKAGE_CONF/example.gitolite.rc $GL_RC`
(minor) gl-setup learns "-q" suppresses popping an editor when run for the first time 2011-01-16 10:12:11 +01:00			`if [ -z "$quiet" ]`
			`then`
			`printf "The default settings in the "rc" file ($GL_RC) are fine for most\n"`
			`printf "people but if you wish to make any changes, you can do so now.\n\nhit enter..."`
			`read i`
			`${EDITOR:-vi} $GL_RC`
			`fi`
added server-side setup script 2010-02-08 15:31:14 +01:00			`fi`

dps: gl-setup may have to create ~/.ssh and touch the authkeys file... I've been unwilling to create the authkeys file if it does not already exist, because it represents a significant change in accessibility for that account. However, in the "distro package" scenario, one wants to make it as easy as possible for the end-user (who is actually an admin for the gitolite being hosted on his account, let's not forget) to use. And it seems that in some cases that might mean he does not (yet) have a ~/.ssh even... 2010-03-12 04:34:00 +01:00			`# setup ssh stuff. We break our normal rule that we will not fiddle with`
			`# authkeys etc., because in this case it seems appropriate`
(minor) gl-setup fixes - stop erroring out if run from elsewhere than $HOME (by localising the "cd" we need somewhere in between) - catch the admin@home.pub usage early - minor fix to the backticked commands - gl-setup now does 'chmod go-rwx .ssh' 2010-07-25 05:31:04 +02:00			`(`
			`cd $HOME`
			`mkdir -p .ssh`
			`chmod go-rwx .ssh`
			`touch .ssh/authorized_keys`
			`chmod go-w . .ssh .ssh/authorized_keys`
			`)`
dps: gl-setup may have to create ~/.ssh and touch the authkeys file... I've been unwilling to create the authkeys file if it does not already exist, because it represents a significant change in accessibility for that account. However, in the "distro package" scenario, one wants to make it as easy as possible for the end-user (who is actually an admin for the gitolite being hosted on his account, let's not forget) to use. And it seems that in some cases that might mean he does not (yet) have a ~/.ssh even... 2010-03-12 04:34:00 +01:00
gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00			`export GL_BINDIR`
			`export REPO_BASE`
			`export GL_ADMINDIR`
I forgot I still have Solaris users... change some obvious bashisms. There may be more, however, so if you find them, let me know. 2011-10-04 10:01:44 +02:00			GL_BINDIR=` get_rc_val GL_BINDIR `
			REPO_BASE=` get_rc_val REPO_BASE `
			GL_ADMINDIR=`get_rc_val GL_ADMINDIR`
gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-15 16:39:56 +01:00
dps: gl-setup may have to create ~/.ssh and touch the authkeys file... I've been unwilling to create the authkeys file if it does not already exist, because it represents a significant change in accessibility for that account. However, in the "distro package" scenario, one wants to make it as easy as possible for the end-user (who is actually an admin for the gitolite being hosted on his account, let's not forget) to use. And it seems that in some cases that might mean he does not (yet) have a ~/.ssh even... 2010-03-12 04:34:00 +01:00			`# now we get to gitolite itself`

added server-side setup script 2010-02-08 15:31:14 +01:00			`gl-install -q`

gl-setup: dash-compat before someone runs it on the new Ubuntu :) 2010-03-18 16:18:29 +01:00			`[ -f $GL_ADMINDIR/conf/gitolite.conf ] \|\| {`
(minor) indentation fix been meaning to do it for a while, but I got a push: http://colabti.org/irclogger/irclogger_log/git?date=2010-11-26#l622 ---- If I had been on the channel at that time I may have quoted Emerson on "consistency" just for the fun of it... ;-) 2010-11-27 01:56:07 +01:00			`cat <<EOF \| cut -c9- > $GL_ADMINDIR/conf/gitolite.conf`
added server-side setup script 2010-02-08 15:31:14 +01:00			`repo gitolite-admin`
			`RW+ = $admin_name`

			`repo testing`
			`RW+ = @all`
			`EOF`
			`}`
gl-setup: dash-compat before someone runs it on the new Ubuntu :) 2010-03-18 16:18:29 +01:00			`[ -n "$pubkey_file" ] && cp $pubkey_file $GL_ADMINDIR/keydir`
added server-side setup script 2010-02-08 15:31:14 +01:00
			`touch $HOME/.ssh/authorized_keys`
			`gl-compile-conf -q`

			`# setup push-to-admin`
gl-setup: dont try to 'git add' and all that when no key was provided Apparently some people want gitolite-admin as a non-repo. Completely outside gitolite, managed by puppet or such, and leaving only symlinks for 'conf' and 'keydir' in $GL_ADMINDIR. But then when they have to run 'gl-setup', the 'git add' complains about the symlink. Hence this patch. ---- Meanwhile, if you're one of those puppet masters, here's the script I gave them for the compile (this has nothing to do with this patch; I'm just throwing it in here so I won't lose it): #!/bin/bash # let's say you install using "non-root" method. (Adjust GL_BINDIR for root # method or package method). # install normally, then make changes directly in $GL_ADMINDIR/conf and # $GL_ADMINDIR/keydir. (Please leaves "logs/" and "hooks/" alone). # Then run this: export GL_ADMINDIR=$HOME/.gitolite export GL_BINDIR=$HOME/bin export GL_RC=$HOME/.gitolite.rc cd $GL_ADMINDIR $GL_BINDIR/gl-compile-conf # BE SURE TO REMOVE THE ADMIN REPO ITSELF FROM conf/gitolite.conf, as well as # repositories/gitolite-admin.git, lest a push by someone end up overwriting # this hand- (or machine-) crafted config. # you can get away even further from gitolite's control. You can, for # example, set GL_NO_SETUP_AUTHKEYS in the rc file, and manage even the keys # yourself. Just put the full path to $GL_BINDIR/gl-auth-command followed by # the username in the "command=" part of the authkeys file you generate. 2011-11-28 18:18:59 +01:00			`[ -n "$pubkey_file" ] && (`
gl-setup: Avoid stupid "cd -" simulation tricks They don't work if someone calls the script for example su - gitolite -c gl-setup <key> from a directory where "gitolite" user does not have permissions (e.g. 0700), then 'cd $od' fails and we stay in gitolite's $HOME. [commit message changed by committer; author was more polite ;-)] 2010-11-18 19:18:07 +01:00			`cd $HOME; cd $REPO_BASE/gitolite-admin.git`
			`GIT_WORK_TREE=$GL_ADMINDIR; export GIT_WORK_TREE`
			`git add conf/gitolite.conf keydir`
hide output of commands to check for existence of valid user.* keys could be confusing to people, and is not at all needed to be shown. 2011-11-15 05:33:01 +01:00			git config --get user.email >/dev/null \|\| git config user.email $USER@`hostname`
			git config --get user.name >/dev/null \|\| git config user.name "$USER on `hostname`"
gl-setup: Avoid stupid "cd -" simulation tricks They don't work if someone calls the script for example su - gitolite -c gl-setup <key> from a directory where "gitolite" user does not have permissions (e.g. 0700), then 'cd $od' fails and we stay in gitolite's $HOME. [commit message changed by committer; author was more polite ;-)] 2010-11-18 19:18:07 +01:00			`git diff --cached --quiet 2>/dev/null \|\| git commit -am start`
			`)`
added server-side setup script 2010-02-08 15:31:14 +01:00
			`# now that the admin repo is created, you have to set the hooks properly; best`
			`# do it by running install again`
			`gl-install -q`
sshkeys-lint total rewrite, and gl-setup now uses it ...in "admin check" mode 2011-11-13 13:07:01 +01:00
			`# ----`

			`# the never-ending quest to help with bloody ssh issues...`
			`cd $GL_ADMINDIR/keydir`
gl-setup: (sshkeys-lint): Move file redirection to the end Signed-off-by: Jari Aalto <jari.aalto@cante.net> 2012-01-02 01:21:00 +01:00			`[ -n "$pubkey_file" ] && $GL_BINDIR/sshkeys-lint -q -a $admin_name < $HOME/.ssh/authorized_keys`
gl-setup: dont try to 'git add' and all that when no key was provided Apparently some people want gitolite-admin as a non-repo. Completely outside gitolite, managed by puppet or such, and leaving only symlinks for 'conf' and 'keydir' in $GL_ADMINDIR. But then when they have to run 'gl-setup', the 'git add' complains about the symlink. Hence this patch. ---- Meanwhile, if you're one of those puppet masters, here's the script I gave them for the compile (this has nothing to do with this patch; I'm just throwing it in here so I won't lose it): #!/bin/bash # let's say you install using "non-root" method. (Adjust GL_BINDIR for root # method or package method). # install normally, then make changes directly in $GL_ADMINDIR/conf and # $GL_ADMINDIR/keydir. (Please leaves "logs/" and "hooks/" alone). # Then run this: export GL_ADMINDIR=$HOME/.gitolite export GL_BINDIR=$HOME/bin export GL_RC=$HOME/.gitolite.rc cd $GL_ADMINDIR $GL_BINDIR/gl-compile-conf # BE SURE TO REMOVE THE ADMIN REPO ITSELF FROM conf/gitolite.conf, as well as # repositories/gitolite-admin.git, lest a push by someone end up overwriting # this hand- (or machine-) crafted config. # you can get away even further from gitolite's control. You can, for # example, set GL_NO_SETUP_AUTHKEYS in the rc file, and manage even the keys # yourself. Just put the full path to $GL_BINDIR/gl-auth-command followed by # the username in the "command=" part of the authkeys file you generate. 2011-11-28 18:18:59 +01:00
			`exit 0`