Mercurial + Nginx configuration for managing a large number of repositories

An example of the configuration of the bundle mercurial + nginx is described under the cat and the automation script for all of the above is given.

Tasks:

Creating a repository repository based on the Mercurial version control system with the ability to securely transfer data and separate access levels.
Automate the above actions.

Decision:

Proxy built-in http server (hg serve) with proxy level access sharing.
To avoid data interception, the transmission is carried out via the HTTPS protocol.
To minimize the resources consumed, Nginx acts as a proxy.
Access control is made at the location directive level.

Agreements:

Linux distribution in which everything will happen - Gentoo
https://hg.expample.com/reponame - link to access the repository
hg.example.com - domain name of the repository repository server
reponame - the name of the required repository
/ home / repos - root folder for repositories
/ etc / hg - root folder for configuration files
This reader has minimal Linux administration skills.

Install the necessary packages:

hg ~ # emerge mercurial hg ~ # emerge nginx

The built-in http server will be launched with the command

hg ~ # /usr/bin/hg serve -d -A /var/log/hg_access.log -p 8080 -a 127.0.0.1 --pid-file /var/run/hgserver.pid --encoding utf8 --webdir-conf /etc/hg/web.config

Launch directives:
-d - start the server as a daemon
-A /var/log/hg_access.log - server access log
-p 8080 - the port number on which the server is waiting for requests
-a 127.0.0.1 - ip address where the server is started
--pid-file /var/run/hgserver.pid - file with server process ID
--encoding utf8 - encoding
--webdir-conf /etc/hg/web.config - server configuration file

hg ~ # cat /etc/hg/web.config [web] // allow_push = * // “” ( ) push_ssl = false // ssl ( ) [paths] // “” rep1=/home/repos/rep1 // : - rep1 rep2=/home/repos/rep2 // : - rep2 

Writing the Include directive to the main Nginx configuration file

hg ~ # cat /etc/nginx/nginx.conf |grep -i include include "/etc/hg/nginx.conf";

Example configuration file /etc/hg/nginx.conf

hg ~ # cat /etc/hg/nginx.conf server { listen 443; server_name hg.example.com; client_max_body_size 128M; ssl on; ssl_certificate /etc/ssl/nginx/nginx.pem; ssl_certificate_key /etc/ssl/nginx/nginx.key; location /repo1 { proxy_pass http://127.0.0.1:8080; auth_basic "Restricted"; auth_basic_user_file /etc/hg/nginx/repo1.pass; access_log /var/log/nginx/repo1.hg.example.com.ssl_access_log main; error_log /var/log/nginx/repo1.hg.example.com.ssl_error_log info; } location /repo2 { proxy_pass http://127.0.0.1:8080; auth_basic "Restricted"; auth_basic_user_file /etc/hg/nginx/repo2.pass; access_log /var/log/nginx/repo2.hg.example.com.ssl_access_log main; error_log /var/log/nginx/repo2.hg.example.com.ssl_error_log info; } }

Consider the section: location / repo1
proxy_pass - specify where to send requests with successful authorization
auth_basic - use HTTP Basic Authentication
auth_basic_user_file - specify in which file the password database is located
access_log and error_log - repository access logging directives
Create authorization files for each of the repositories with the htpasswd command
(The htpasswd program is included in the apache package, so you'll have to install it with the emerge apache command

hg ~ # htpasswd -bc /etc/hg/nginx/repo2.pass test2 testpass2 hg ~ # htpasswd -bc /etc/hg/nginx/repo1.pass test1 testpass1

-b - use the password specified on the command line.
-c - create a new password database file
/etc/hg/nginx/repo1.pass - the name of the password database file
test1 - user login added
testpass1 - user password added
It remains to initialize the repositories with the hg init command.

hg ~ # hg init /home/repos/repo1 hg ~ # hg init /home/repos/repo2

We start Nginx team

hg ~ # /etc/init.d/nginx start

Now repo1 and repo2 repositories
available at
https://hg.example.com/repo1 and https://hg.example.com/repo2 respectively.
With configured separation of access levels.
This was the end of the article, for a simple configuration that is updated every 3-5 months is enough. But what to do when the configuration has to be changed often? The correct system administrator will immediately begin to look for a way to make life easier for you.

At least three solutions to the problem:

1. Use the finished product management repositories.
2. Delegate an honorary duty to his subordinate.
3. Create a management system yourself.
Unfortunately, neither the first nor the second option suited me ~~, so I had to overcome my laziness and do it myself.~~
The result was a script that fully automates the process of managing the repository server.

In which it was implemented:

1. Create (if necessary) and provide access to repositories.
2. Prohibition of access to inactive repositories. (When removed from the configuration file, the repository is not physically deleted).
3. Regeneration of user passwords for authorization of Nginx.
4. Distribution of access to repositories at the user level.

The syntax of the configuration file allows:

1. use blank lines to visually separate sections
2. use the “#” symbol to highlight comments

The configuration file consists of three sections.

[users] - : -. “=” user1=pass1 user2=pass2 user3=pass3 [repos] - repo1 repo2 repo3 [access] - , “,” repo1 = user1 , user2,user3 - user1,user2,user3 repo2 = user1,user2 - user1 user2 repo3 = user3 - user3 

Listing script /usr/local/sbin/hgmkrep.sh

#! / bin / bash
tmphtpass = "/ var / tmp / htpass" # define a temporary password database file
repohome = "/ home / repos /" # define the root folder for repositories
hgservepid = "/var/run/hgserver.pid" #pid hg serve
hgaccesslog = "/var/log/hg_access.log" #access log file for hg server
domain = "exapmple.com" #tld server name
confdir = "/ etc / hg /" # define the root folder for configs
confile = $ {confdir} "repo.cfg" # main config file /etc/hg/repo.cfg
webconfig = $ {confdir} "web.config" # config for hg server /etc/hg/web.config
nginxconfig = $ {confdir} "nginx.conf" # config for nginx /etc/hg/nginx.conf
nginxauthdir = $ {confdir} "nginx /" # folder for password bases for access to repositories
[ -s $ {confile} ] || echo "where is config file?" # check the presence of the main config
[ -s $ {confile} ] || exit 0 # grieve if there is no main config
# parsim section [repos] for repositories
repos = ` cat $ {confile} | sed '/ ^ $ / d' | sed '/ ^ # / d' | sed 's / \ // g' | awk '/ \ [repos \] / {
is_repos = 1;
while (is_repos == 1)
{if (getline <= 0 || index ($ 0, "[") == 1)
{is_repos = 0;}
else
{print $ 0;}}} ' `
# Check the availability of folders with repositories and, if necessary, create
for i in $ {repos}
do ; [ -d $ {repohome} $ {i} ] || / usr / bin / hg init $ {repohome} $ {i} ; done
# generate config for hg server
echo "[web]
allow_push = *
push_ssl = false
[paths] " > $ {webconfig}
# allow access only to active repositories
for i in $ {repos}
do ; echo $ {i} = $ {repohome} $ {i} >> $ {webconfig} ; done
# reboot hg serve
[ -a $ {hgservepid} ] && / bin / kill `/ bin / cat $ {hgservepid} ` && rm $ {hgservepid}
/ usr / bin / hg serve -d -A $ {hgaccesslog} -p 8080 -a 127.0.0.1 --pid-file $ {hgservepid} --encoding utf8 --webdir-conf $ {webconfig}
# create config for nginx
echo "server
{
listen 443;
server_name hg. " $ {domain} ";
client_max_body_size 128M;
ssl on;
ssl_certificate /etc/ssl/nginx/nginx.pem;
ssl_certificate_key /etc/ssl/nginx/nginx.key; " > $ {nginxconfig}
# create lacation for active repositories
for i in $ {repos}
do
echo "location /" $ {i} "
{
proxy_pass http://127.0.0.1:8080;
auth_basic \ " Restricted \" ;
auth_basic_user_file " $ {nginxauthdir} $ {i} " .pass;
access_log / var / log / nginx / " $ {i} " .hg. " $ {domain} " .ssl_access_log main;
error_log / var / log / nginx / " $ {i} " .hg. " $ {domain} " .ssl_error_log info;
} " >> $ {nginxconfig}
done
echo "}" >> $ {nginxconfig}
# create (reset, just in case) temporary password database
cat / dev / null > $ {tmphtpass}
# parsim section of the main config [users]
# generate passwords for all active users
cat $ {confile} | sed '/ ^ $ / d' | sed '/ ^ # / d' | sed 's / \ // g' | awk -v passfile = $ tmphtpass ' / \ [users \] / {
is_users = 1;
while (is_users == 1)
{if (getline <= 0 || index ($ 0, "[") == 1)
{is_users = 0;}
else
{split ($ 0, userpass, "="); system ("htpasswd -b" passfile "" userpass [1] "" userpass [2]);}}} '
# parsim section [access] of the main config
# and get the list of privileges of the form repo = user1, user2
access = ` cat $ {confile} | sed '/ ^ $ / d' | sed '/ ^ # / d' | sed 's / \ // g' | awk '/ \ [access \] / {
is_access = 1; while (is_access == 1)
{if (getline <= 0 || index ($ 0, "[") == 1)
{is_access = 0;}
else
{print $ 0;}}} ' `
# check if there is a folder for storing password databases
[ -d $ {nginxauthdir} ] || mkdir -p $ {nginxauthdir}
# delete old password database files
find $ {nginxauthdir} -type f -name * .pass -delete
# for each repository from the [access] section we generate a personal password database
for i in $ {access}
do ; echo $ {i} | sed 's /, / \ | / g' | awk -v tmphtpass = $ {tmphtpass} -v nginxauthdir = $ {nginxauthdir} \
'BEGIN {FS = "="} {system ("cat" tmphtpass "| egrep \" "$ 2" \ ">" nginxauthdir "" $ 1 ".pass")}' done
# restart nginx
/ etc / init.d / nginx restart
# delete temporary password database file
rm $ {tmphtpass}

I also post a link to the working script and the config example: hgmkrep.tar.gz

Existing disadvantages:

1. There is no distinction for reading and writing; each user allowed to ~~the~~ repository ~~body~~ has rw rights by default.
2. Not implemented using groups to restrict access
3. Configuration rollback is not implemented with incorrect syntax of the config (the system will collapse)
4. With an increase in the number of users and repositories, the config abundantly loses its visibility

Source: https://habr.com/ru/post/115007/

All Articles