From 6e83384da58a29f0b7d3792bec656aa1e412ea3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Fri, 13 Feb 2026 16:07:24 +0400
Subject: [PATCH 1/2] Use more attributes for Gitea config

---
 site-cookbooks/kosmos_gitea/attributes/default.rb         | 1 +
 site-cookbooks/kosmos_gitea/recipes/default.rb            | 2 ++
 site-cookbooks/kosmos_gitea/templates/default/app.ini.erb | 6 +++---
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb
index 9debdd4..8d19c26 100644
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -6,6 +6,7 @@ node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
 node.default["gitea"]["domain"] = "gitea.kosmos.org"
+node.default["gitea"]["email"] = "gitea@kosmos.org"
 
 node.default["gitea"]["config"] = {
   "log": {
diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb
index 334780e..bc0a53e 100644
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -78,6 +78,8 @@ if node.chef_environment == "production"
 end
 
 config_variables = {
+  domain: node["gitea"]["domain"],
+  email: node["gitea"]["email"],
   working_directory: working_directory,
   git_home_directory: git_home_directory,
   repository_root_directory: repository_root_directory,
diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
index 0e819d0..5f9cc17 100644
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -2,12 +2,12 @@ APP_NAME = Gitea
 RUN_MODE = prod
 
 [server]
-SSH_DOMAIN       = gitea.kosmos.org
+SSH_DOMAIN = <%= @domain %>
 HTTP_PORT        = 3000
 DISABLE_SSH      = false
 SSH_PORT         = 22
 PROTOCOL = http
-DOMAIN = gitea.kosmos.org
+DOMAIN = <%= @domain %>
 # Gitea is running behind an nginx reverse load balancer, use an HTTPS root URL
 ROOT_URL = https://%(DOMAIN)s
 # REDIRECT_OTHER_PORT = true
@@ -46,7 +46,7 @@ SMTP_ADDR = <%= @smtp_addr %>
 SMTP_PORT = <%= @smtp_port %>
 USER = <%= @smtp_user %>
 PASSWD = <%= @smtp_password %>
-FROM = gitea@kosmos.org
+FROM = <%= @email %>
 
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>
-- 
2.50.1


From 161b78be9768715069273cf7de057ece9a54c697 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Fri, 13 Feb 2026 16:08:11 +0400
Subject: [PATCH 2/2] Configure Gitea commit signing with SSH key

---
 .../kosmos_gitea/recipes/default.rb           | 28 +++++++++++++++++++
 .../templates/default/app.ini.erb             | 10 +++++++
 2 files changed, 38 insertions(+)

diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb
index bc0a53e..8049a70 100644
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -19,6 +19,17 @@ jwt_secret                = gitea_data_bag_item["jwt_secret"]
 internal_token            = gitea_data_bag_item["internal_token"]
 secret_key                = gitea_data_bag_item["secret_key"]
 
+apt_repository "git-core-ppa" do
+  uri "http://ppa.launchpad.net/git-core/ppa/ubuntu"
+  components ["main"]
+  key "E1DF1F24"
+  action :add
+  only_if do
+    node['platform'] == 'ubuntu' &&
+      Gem::Version.new(node['platform_version']) < Gem::Version.new('22.04')
+  end
+end
+
 package "git"
 
 user "git" do
@@ -26,6 +37,13 @@ user "git" do
   home "/home/git"
 end
 
+directory "/home/git/.ssh" do
+  owner "git"
+  group "git"
+  mode "0700"
+  recursive true
+end
+
 directory working_directory do
   owner "git"
   group "git"
@@ -100,6 +118,16 @@ config_variables = {
   s3_bucket: gitea_data_bag_item["s3_bucket"]
 }
 
+bash "Generate git ed25519 keypair" do
+  user "git"
+  group "git"
+  cwd git_home_directory
+  code <<-EOH
+    ssh-keygen -t ed25519 -f #{git_home_directory}/.ssh/id_ed25519
+  EOH
+  creates "#{git_home_directory}/.ssh/id_ed25519"
+end
+
 template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
index 5f9cc17..a3ef14f 100644
--- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
+++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
@@ -30,6 +30,16 @@ MAX_OPEN_CONNS = 20
 ROOT = <%= @repository_root_directory %>
 DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true
 
+[repository.signing]
+SIGNING_KEY = <%= @git_home_directory %>/.ssh/id_ed25519.pub
+SIGNING_NAME = Gitea
+SIGNING_EMAIL = git@<%= @domain %>
+SIGNING_FORMAT = ssh
+INITIAL_COMMIT = always
+CRUD_ACTIONS = always
+WIKI = always
+MERGES = always
+
 # [indexer]
 # ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 
-- 
2.50.1