Configure commit signing for Gitea

refs #237

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -4,6 +4,11 @@ node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
+node.default["gitea"]["commit_signing"] = {
+  "name_real" => "Gitea",
+  "name_comment" => "commit signing",
+  "name_email" => "git@#{node["gitea"]["domain"]}"
+}
 
 node.default["gitea"]["config"] = {
   "actions": {

site-cookbooks/kosmos_gitea/metadata.rb

@@ -8,6 +8,7 @@ version '0.2.0'
 chef_version '>= 14.0'
 
 depends "firewall"
+depends "gpg"
 depends "kosmos_openresty"
 depends "kosmos_postgresql"
 depends "backup"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -77,6 +77,22 @@ if node.chef_environment == "production"
   }
 end
 
+if node["gitea"]["commit_signing"]
+  gpg_install
+
+  gpg_key "git" do
+    user "git"
+    group "git"
+    name_real node["gitea"]["commit_signing"]["name_real"]
+    name_comment node["gitea"]["commit_signing"]["name_comment"]
+    name_email node["gitea"]["commit_signing"]["name_email"]
+  end
+
+  execute "enable git commit signing for all repositories" do
+    command "su - git -c 'git config --global commit.gpgsign true'"
+  end
+end
+
 config_variables = {
   working_directory: working_directory,
   git_home_directory: git_home_directory,
@@ -93,6 +109,7 @@ config_variables = {
   smtp_user: smtp_credentials["user_name"],
   smtp_password: smtp_credentials["password"],
   config: node["gitea"]["config"],
+  commit_signing: node["gitea"]["commit_signing"],
   s3_key_id: gitea_data_bag_item["s3_key_id"],
   s3_secret_key: gitea_data_bag_item["s3_secret_key"],
   s3_bucket: gitea_data_bag_item["s3_bucket"]

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -28,6 +28,15 @@ SSL_MODE = disable
 [repository]
 ROOT = <%= @repository_root_directory %>
 
+<% if @commit_signing %>
+[repository.signing]
+SIGNING_KEY = default
+INITIAL_COMMIT = always
+CRUD_ACTIONS = always
+MERGES = always
+WIKI = never
+<% end %>
+
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve