From fc70ec84fcddc6a03452b26a1abfeb1a277ba832 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 8 Jul 2024 12:22:59 +0200
Subject: [PATCH] allow all directories to be "safe" in git terms

Git in EL9+ only allows to clone repositories that one is the owner of.
This obviously doesn't work for shared repositories like we have them
for secretsgit.

Disable that feature alltogether on systems that serve as secretsgit
sources.

Sadly a more specific wildcard is not supported [1] and given Puppet
doesn't know which stores we have, I've opted to completely disabling
this feature.

[1] https://git-scm.com/docs/git-config/2.45.0#Documentation/git-config.txt-safedirectory
---
 puppet/modules/secretsgit/files/gitconfig   | 2 ++
 puppet/modules/secretsgit/manifests/init.pp | 8 ++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 puppet/modules/secretsgit/files/gitconfig

diff --git a/puppet/modules/secretsgit/files/gitconfig b/puppet/modules/secretsgit/files/gitconfig
new file mode 100644
index 000000000..e853fd6f8
--- /dev/null
+++ b/puppet/modules/secretsgit/files/gitconfig
@@ -0,0 +1,2 @@
+[safe]
+	directory = *
diff --git a/puppet/modules/secretsgit/manifests/init.pp b/puppet/modules/secretsgit/manifests/init.pp
index acc68875c..960982a93 100644
--- a/puppet/modules/secretsgit/manifests/init.pp
+++ b/puppet/modules/secretsgit/manifests/init.pp
@@ -16,6 +16,14 @@
   Stdlib::Absolutepath $path = '/srv/secretsgit',
   Array[String] $users = [],
 ) {
+  file { '/etc/gitconfig':
+    ensure => file,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+    source => 'puppet:///modules/secretsgit/gitconfig',
+  }
+
   group { $group:
     ensure => present,
   }