From 154c4ba03e571f6e6cee95731953d9b610fff7e0 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 8 Jul 2024 12:22:59 +0200
Subject: [PATCH] allow all directories to be "safe" in git terms

Git in EL9+ only allows to clone repositories that one is the owner of.
This obviously doesn't work for shared repositories like we have them
for secretsgit.

Disable that feature alltogether on systems that serve as secretsgit
sources.

Sadly a more specific wildcard is not supported [1] and given Puppet
doesn't know which stores we have, I've opted to completely disabling
this feature.

[1] https://git-scm.com/docs/git-config/2.45.0#Documentation/git-config.txt-safedirectory
---
 puppet/modules/secretsgit/files/gitconfig   | 2 ++
 puppet/modules/secretsgit/manifests/init.pp | 8 ++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 puppet/modules/secretsgit/files/gitconfig

diff --git a/puppet/modules/secretsgit/files/gitconfig b/puppet/modules/secretsgit/files/gitconfig
new file mode 100644
index 000000000..e853fd6f8
--- /dev/null
+++ b/puppet/modules/secretsgit/files/gitconfig
@@ -0,0 +1,2 @@
+[safe]
+	directory = *
diff --git a/puppet/modules/secretsgit/manifests/init.pp b/puppet/modules/secretsgit/manifests/init.pp
index acc68875c..1c79113d2 100644
--- a/puppet/modules/secretsgit/manifests/init.pp
+++ b/puppet/modules/secretsgit/manifests/init.pp
@@ -16,6 +16,14 @@
   Stdlib::Absolutepath $path = '/srv/secretsgit',
   Array[String] $users = [],
 ) {
+  file { '/etc/gitconfig':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => file('secretsgit/gitconfig'),
+  }
+
   group { $group:
     ensure => present,
   }