From 6607474370aa5a4baa85d78412b6c936f729fa28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 9 Aug 2024 16:13:58 +0200 Subject: [PATCH] Configure commit signing for Gitea refs #237 --- Berksfile | 1 + Berksfile.lock | 3 + cookbooks/gpg/.markdownlint-cli2.yaml | 5 + cookbooks/gpg/CHANGELOG.md | 89 ++++++++ cookbooks/gpg/LICENSE | 202 ++++++++++++++++++ cookbooks/gpg/README.md | 63 ++++++ cookbooks/gpg/chefignore | 115 ++++++++++ cookbooks/gpg/libraries/helpers.rb | 43 ++++ cookbooks/gpg/metadata.json | 43 ++++ cookbooks/gpg/metadata.rb | 20 ++ cookbooks/gpg/renovate.json | 18 ++ cookbooks/gpg/resources/install.rb | 18 ++ cookbooks/gpg/resources/key.rb | 166 ++++++++++++++ .../kosmos_gitea/attributes/default.rb | 5 + site-cookbooks/kosmos_gitea/metadata.rb | 1 + .../kosmos_gitea/recipes/default.rb | 17 ++ .../templates/default/app.ini.erb | 9 + 17 files changed, 818 insertions(+) create mode 100644 cookbooks/gpg/.markdownlint-cli2.yaml create mode 100644 cookbooks/gpg/CHANGELOG.md create mode 100644 cookbooks/gpg/LICENSE create mode 100644 cookbooks/gpg/README.md create mode 100644 cookbooks/gpg/chefignore create mode 100644 cookbooks/gpg/libraries/helpers.rb create mode 100644 cookbooks/gpg/metadata.json create mode 100644 cookbooks/gpg/metadata.rb create mode 100644 cookbooks/gpg/renovate.json create mode 100644 cookbooks/gpg/resources/install.rb create mode 100644 cookbooks/gpg/resources/key.rb diff --git a/Berksfile b/Berksfile index e82e5ed..2bc138d 100644 --- a/Berksfile +++ b/Berksfile @@ -21,6 +21,7 @@ cookbook 'composer', '~> 2.7.0' cookbook 'fail2ban', '~> 7.0.4' cookbook 'git', '~> 10.0.0' cookbook 'golang', '~> 5.3.1' +cookbook 'gpg', '~> 2.0.13' cookbook 'hostname', '= 0.4.2' cookbook 'hostsfile', '~> 3.0.1' cookbook 'java', '~> 4.3.0' diff --git a/Berksfile.lock b/Berksfile.lock index c3bab6f..3ec4522 100644 --- a/Berksfile.lock +++ b/Berksfile.lock @@ -8,6 +8,7 @@ DEPENDENCIES firewall (~> 6.2.16) git (~> 10.0.0) golang (~> 5.3.1) + gpg (~> 2.0.13) hostname (= 0.4.2) hostsfile (~> 3.0.1) ipfs @@ -59,6 +60,8 @@ GRAPH git (10.0.0) golang (5.3.1) ark (>= 6.0) + gpg (2.0.13) + yum-epel (>= 0.0.0) homebrew (5.4.1) hostname (0.4.2) hostsfile (>= 0.0.0) diff --git a/cookbooks/gpg/.markdownlint-cli2.yaml b/cookbooks/gpg/.markdownlint-cli2.yaml new file mode 100644 index 0000000..6fa8e77 --- /dev/null +++ b/cookbooks/gpg/.markdownlint-cli2.yaml @@ -0,0 +1,5 @@ +config: + ul-indent: false # MD007 + line-length: false # MD013 + no-duplicate-heading: false # MD024 + reference-links-images: false # MD052 diff --git a/cookbooks/gpg/CHANGELOG.md b/cookbooks/gpg/CHANGELOG.md new file mode 100644 index 0000000..7986188 --- /dev/null +++ b/cookbooks/gpg/CHANGELOG.md @@ -0,0 +1,89 @@ +# gpg Cookbook CHANGELOG + +This file is used to list changes made in each version of the gpg cookbook. + +## 2.0.13 - *2024-05-02* + +## 2.0.12 - *2024-05-02* + +## 2.0.11 - *2023-09-28* + +## 2.0.10 - *2023-09-04* + +## 2.0.9 - *2023-07-10* + +## 2.0.8 - *2023-05-16* + +- Fix markdown formatting in the changelog +- Standardise files with files in sous-chefs/repo-management + +## 2.0.7 - *2023-05-16* + +- Standardise files with files in sous-chefs/repo-management + +## 2.0.6 - *2023-05-03* + +- Standardise files with files in sous-chefs/repo-management + +## 2.0.5 - *2023-04-01* + +- Standardise files with files in sous-chefs/repo-management + +## 2.0.4 - *2023-03-02* + +- Standardise files with files in sous-chefs/repo-management + +## 2.0.3 - *2023-02-14* + +- Remove delivery folder + +## 2.0.2 - *2021-08-31* + +- Standardise files with files in sous-chefs/repo-management + +## 2.0.1 - *2021-06-01* + +- Standardise files with files in sous-chefs/repo-management + +## 2.0.0 - *2021-05-07* + +- Update tested platforms +- Set minimum Chef version to 15.3 for unified_mode support + +## 1.3.0 - *2020-12-14* + +- Added support for SUSE and OpenSUSE + +## 1.2.0 (2020-08-26) + +- Comment out enforce_idempotency in kitchen.dokken.yml so tests work +- Update/Remove the platforms we test against +- Fix support for pinentry_mode on Ubuntu 16.04 + +## 1.1.0 (2020-05-14) + +- resolved cookstyle error: resources/install.rb:1:36 convention: `Layout/TrailingWhitespace` +- resolved cookstyle error: resources/install.rb:1:37 refactor: `ChefModernize/FoodcriticComments` + +## 1.0.1 (2020-01-26) + +- Use Github Actions for testing +- Fix Ubuntu platform checks in the `gpg_key` resource +- Use true/false in the resource to simplify the types + +## 1.0.0 (2019-01-26) + +- Adds two new resources `gpg_install` and `gpg_key` +- Use CircleCI for testing + +## 0.3.0 (2018-05-08) + +- Sous Chefs will now be maintaining this cookbook. For more information on Sous Chefs see +- This cookbook now requires Chef 12 or later +- Added a chefignore file +- Added local testing with delivery local mode +- Added Code of conduct, testing, contributing, license, and changelog files +- Added `chef_version`, `source_url`, and `issues_url` to the metadata +- Added ubuntu/debian to the metadata as supported platforms +- Updated the kitchen config to use Vagrant on common platforms +- Resolved all cookstyle / foodcritic warnings diff --git a/cookbooks/gpg/LICENSE b/cookbooks/gpg/LICENSE new file mode 100644 index 0000000..8f71f43 --- /dev/null +++ b/cookbooks/gpg/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/cookbooks/gpg/README.md b/cookbooks/gpg/README.md new file mode 100644 index 0000000..9b2a1dd --- /dev/null +++ b/cookbooks/gpg/README.md @@ -0,0 +1,63 @@ +# GPG cookbook + +[![Cookbook Version](https://img.shields.io/cookbook/v/gpg.svg)](https://supermarket.chef.io/cookbooks/gpg) +[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/gpg/master.svg)](https://circleci.com/gh/sous-chefs/gpg) +[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers) +[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors) +[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0) + +Installs and configures GPG on a system + +## Maintainers + +This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF). + +## Custom resources + +This cookboks uses custom resources to control GPG2. + +Install GPG2 and haveged + +```ruby +gpg_install +``` + +Generate a GPG key for a user + +```ruby +gpg_key 'foo' do + user 'foo' + passphrase 'this-is-not-secure' +end +``` + +For further detail please see the documentation for each resource, or the test cookbook for example usage. + +- [gpg_install](https://github.com/sous-chefs/gpg/blob/master/documentation/resource/install.md) +- [gpg_key](https://github.com/sous-chefs/gpg/blob/master/documentation/resource/key.md) +- [Test Cookbook](https://github.com/sous-chefs/gpg/blob/master/test/fixtures/cookbooks/test/recipes) + +## Contributors + +This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false) + +### Backers + +Thank you to all our backers! + +![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40) + +### Sponsors + +Support this project by becoming a sponsor. Your logo will show up here with a link to your website. + +![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100) diff --git a/cookbooks/gpg/chefignore b/cookbooks/gpg/chefignore new file mode 100644 index 0000000..a27b0b2 --- /dev/null +++ b/cookbooks/gpg/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen*.yml +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/cookbooks/gpg/libraries/helpers.rb b/cookbooks/gpg/libraries/helpers.rb new file mode 100644 index 0000000..085b72f --- /dev/null +++ b/cookbooks/gpg/libraries/helpers.rb @@ -0,0 +1,43 @@ +module Gpg + module Helpers + include Chef::Mixin::ShellOut + + def key_exists(new_resource) + gpg_check = gpg_cmd + gpg_check << gpg_opts if new_resource.override_default_keyring + gpg_check << "--list-keys | grep '#{new_resource.name_real}'" + + cmd = Mixlib::ShellOut.new( + gpg_check, + user: new_resource.user, + group: new_resource.group + ) + + cmd.run_command + + cmd.exitstatus == 0 + end + + def gpg_opts(new_resource) + if new_resource.override_default_keyring + "--no-default-keyring --secret-keyring #{new_resource.secring_file} --keyring #{new_resource.pubring_file}" + else + false + end + end + + def gpg_cmd + "gpg2 --homedir #{new_resource.home_dir} " + end + + def gpg2_packages + packages = %w(haveged) + if platform_family?('suse') + packages.push('gpg2') + else + packages.push('gnupg2') + end + packages + end + end +end diff --git a/cookbooks/gpg/metadata.json b/cookbooks/gpg/metadata.json new file mode 100644 index 0000000..887a40e --- /dev/null +++ b/cookbooks/gpg/metadata.json @@ -0,0 +1,43 @@ +{ + "name": "gpg", + "description": "Installs/Configures gpg", + "long_description": "", + "maintainer": "Sous Chefs", + "maintainer_email": "help@sous-chefs.org", + "license": "Apache-2.0", + "platforms": { + "debian": ">= 0.0.0", + "ubuntu": ">= 0.0.0", + "centos": ">= 0.0.0", + "redhat": ">= 0.0.0", + "oracle": ">= 0.0.0", + "amazon": ">= 0.0.0", + "opensuse": ">= 0.0.0", + "suse": ">= 0.0.0" + }, + "dependencies": { + "yum-epel": ">= 0.0.0" + }, + "providing": { + + }, + "recipes": { + + }, + "version": "2.0.13", + "source_url": "https://github.com/sous-chefs/gpg", + "issues_url": "https://github.com/sous-chefs/gpg/issues", + "privacy": false, + "chef_versions": [ + [ + ">= 15.3" + ] + ], + "ohai_versions": [ + + ], + "gems": [ + + ], + "eager_load_libraries": true +} diff --git a/cookbooks/gpg/metadata.rb b/cookbooks/gpg/metadata.rb new file mode 100644 index 0000000..9507028 --- /dev/null +++ b/cookbooks/gpg/metadata.rb @@ -0,0 +1,20 @@ +name 'gpg' +maintainer 'Sous Chefs' +maintainer_email 'help@sous-chefs.org' +license 'Apache-2.0' +description 'Installs/Configures gpg' +source_url 'https://github.com/sous-chefs/gpg' +issues_url 'https://github.com/sous-chefs/gpg/issues' +version '2.0.13' +chef_version '>= 15.3' + +depends 'yum-epel' + +supports 'debian' +supports 'ubuntu' +supports 'centos' +supports 'redhat' +supports 'oracle' +supports 'amazon' +supports 'opensuse' +supports 'suse' diff --git a/cookbooks/gpg/renovate.json b/cookbooks/gpg/renovate.json new file mode 100644 index 0000000..a0b29c8 --- /dev/null +++ b/cookbooks/gpg/renovate.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:base"], + "packageRules": [ + { + "groupName": "Actions", + "matchUpdateTypes": ["minor", "patch", "pin"], + "automerge": true, + "addLabels": ["Release: Patch", "Skip: Announcements"] + }, + { + "groupName": "Actions", + "matchUpdateTypes": ["major"], + "automerge": false, + "addLabels": ["Release: Patch", "Skip: Announcements"] + } + ] +} diff --git a/cookbooks/gpg/resources/install.rb b/cookbooks/gpg/resources/install.rb new file mode 100644 index 0000000..04530a4 --- /dev/null +++ b/cookbooks/gpg/resources/install.rb @@ -0,0 +1,18 @@ +unified_mode true + +property :name, String, default: '' + +action :install do + include_recipe 'yum-epel' if platform_family?('rhel', 'amazon') + + package gpg2_packages + + service 'haveged' do + supports [:status, :restart] + action :start + end +end + +action_class do + include Gpg::Helpers +end diff --git a/cookbooks/gpg/resources/key.rb b/cookbooks/gpg/resources/key.rb new file mode 100644 index 0000000..826a7de --- /dev/null +++ b/cookbooks/gpg/resources/key.rb @@ -0,0 +1,166 @@ +unified_mode true + +property :batch_name, String, + name_property: true, + description: 'Name of the key/batch to generate.' + +property :override_default_keyring, [true, false], + default: false, + description: 'Set to true if you want to override the pubring_file and secring_file locations.' + +property :pubring_file, String, + description: 'Public keyring file location (override_default_keyring must be set to true or this option will be ignored)' + +property :secring_file, String, + description: 'Secret keyring file location (override_default_keyring must be set to true or this option will be ignored)' + +property :user, String, + default: 'root', + description: 'User to generate the key for' + +property :group, String, + default: lazy { user }, + description: 'Group to run the generate command as' + +property :key_type, String, + default: '1', equal_to: %w(RSA 1 DSA 17 ), + description: 'Corresponds to GPG option: Key-Type (RSA or DSA)' + +property :key_length, String, + default: '2048', equal_to: %w( 2048 4096 ), + description: 'Corresponds to GPG option: Key-Length (2048 or 4096)' + +property :name_real, String, + default: lazy { "Chef Generated Default (#{batch_name})" }, + description: 'Corresponds to GPG option: Name-Real' + +property :name_comment, String, + default: 'generated by Chef', + description: 'Corresponds to GPG option: Name-Comment' + +property :name_email, String, + default: lazy { "#{node.name}@example.com" }, + description: 'Corresponds to GPG option: Name-Email' + +property :expire_date, String, + default: '0', + description: 'Corresponds to GPG option: Expire-Date. Defaults to 0 (no expiry)' + +property :home_dir, String, + default: lazy { ::File.expand_path("~#{user}/.gnupg") }, + description: 'Location to store the keyring. Defaults to ~/.gnupg' + +property :batch_config_file, String, + default: lazy { ::File.join(home_dir, "gpg_batch_config_#{batch_name}") }, + description: 'Batch config file name' + +property :passphrase, String, + sensitive: true, + description: 'Passphrase for key' + +property :key_file, String, + description: 'Keyfile name' + +property :key_fingerprint, String, + description: 'Key finger print. Used to identify when deleting keys using the :delete action' + +# Only Ubuntu > 16.04 supports the pinetree_mode. And requires it +property :pinentry_mode, [String, FalseClass], + default: platform?('ubuntu') && node['platform_version'].to_f > 16.04 ? 'loopback' : false, + description: 'Pinentry mode. Set to loopback on Ubuntu and False (off) for all other platforms.' + +property :batch, [true, false], + default: true, + description: 'Turn batch mode on or off when genrating keys' + +action :generate do + unless key_exists(new_resource) + + config_dir = ::File.dirname(new_resource.batch_config_file) + + directory config_dir do + owner new_resource.user + mode '0700' + recursive true + not_if { ::Dir.exist?(config_dir) } + end + + file new_resource.batch_config_file do + content <<~EOS + Key-Type: #{new_resource.key_type} + Key-Length: #{new_resource.key_length} + Name-Real: #{new_resource.name_real} + Name-Comment: #{new_resource.name_comment} + Name-Email: #{new_resource.name_email} + Expire-Date: #{new_resource.expire_date} + EOS + + if new_resource.override_default_keyring + content << "%pubring #{new_resource.pubring_file}\n" + content << "%secring #{new_resource.secring_file}\n" + end + + content << "Passphrase: #{new_resource.passphrase}" if new_resource.passphrase + content << "%commit\n" + mode '0600' + owner new_resource.user + sensitive true + end + + cmd = gpg_cmd + cmd << gpg_opts(new_resource) if new_resource.override_default_keyring + cmd << " --passphrase #{new_resource.passphrase}" + cmd << ' --yes' + cmd << ' --batch' if new_resource.batch + cmd << ' --pinentry-mode loopback' if new_resource.pinentry_mode + cmd << " --gen-key #{new_resource.batch_config_file}" + + execute 'gpg2: generate' do + command cmd + live_stream true + user new_resource.user + group new_resource.group + end + + end +end + +action :import do + execute 'gpg2: import key' do + command "#{gpg_cmd} --import #{new_resource.key_file}" + user new_resource.user + group new_resource.group + not_if { key_exists(new_resource) } + end +end + +action :export do + execute 'gpg2: export key' do + command "#{gpg_cmd} --export -a \"#{new_resource.name_real}\" > #{new_resource.key_file}" + user new_resource.user + group new_resource.group + not_if { ::File.exist?(new_resource.key_file) } + end +end + +action :delete_public_key do + execute 'gpg2: delete key' do + command "#{gpg_cmd} --batch --yes --delete-key \"#{new_resource.key_fingerprint}\"" + user new_resource.user + group new_resource.group + only_if { key_exists(new_resource) } + end +end + +action :delete_secret_keys do + execute 'gpg2: delete key' do + command "#{gpg_cmd} --batch --yes --delete-secret-keys \"#{new_resource.key_fingerprint}\"" + user new_resource.user + group new_resource.group + only_if { key_exists(new_resource) } + end +end + +action_class do + include Gpg::Helpers +end diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 73292e4..ca64e0a 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -4,6 +4,11 @@ node.default["gitea"]["working_directory"] = "/var/lib/gitea" node.default["gitea"]["port"] = 3000 node.default["gitea"]["postgresql_host"] = "localhost:5432" node.default["gitea"]["domain"] = "gitea.kosmos.org" +node.default["gitea"]["commit_signing"] = { + "name_real" => "Gitea", + "name_comment" => "commit signing", + "name_email" => "git@#{node["gitea"]["domain"]}" +} node.default["gitea"]["config"] = { "actions": { diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb index f842b03..2ce2785 100644 --- a/site-cookbooks/kosmos_gitea/metadata.rb +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -8,6 +8,7 @@ version '0.2.0' chef_version '>= 14.0' depends "firewall" +depends "gpg" depends "kosmos_openresty" depends "kosmos_postgresql" depends "backup" diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index afae849..e334f42 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -77,6 +77,22 @@ if node.chef_environment == "production" } end +if node["gitea"]["commit_signing"] + gpg_install + + gpg_key "git" do + user "git" + group "git" + name_real node["gitea"]["commit_signing"]["name_real"] + name_comment node["gitea"]["commit_signing"]["name_comment"] + name_email node["gitea"]["commit_signing"]["name_email"] + end + + execute "enable git commit signing for all repositories" do + command "su - git -c 'git config --global commit.gpgsign true'" + end +end + config_variables = { working_directory: working_directory, git_home_directory: git_home_directory, @@ -93,6 +109,7 @@ config_variables = { smtp_user: smtp_credentials["user_name"], smtp_password: smtp_credentials["password"], config: node["gitea"]["config"], + commit_signing: node["gitea"]["commit_signing"], s3_key_id: gitea_data_bag_item["s3_key_id"], s3_secret_key: gitea_data_bag_item["s3_secret_key"], s3_bucket: gitea_data_bag_item["s3_bucket"] diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index 5c79bba..d5a25e3 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -28,6 +28,15 @@ SSL_MODE = disable [repository] ROOT = <%= @repository_root_directory %> +<% if @commit_signing %> +[repository.signing] +SIGNING_KEY = default +INITIAL_COMMIT = always +CRUD_ACTIONS = always +MERGES = always +WIKI = never +<% end %> + # [indexer] # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve