Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow all directories to be "safe" in git terms #2100

Merged
merged 1 commit into from
Jul 8, 2024
Merged

allow all directories to be "safe" in git terms #2100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions puppet/modules/secretsgit/files/gitconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[safe]
directory = *
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a template and we put $secretsgit::path in there?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$secretgit::path is the base, and our repos are ${secretgit::path}/blah.git etc. You need to pass full paths to those repos here, or *, otherwise it won't work (I tried).

8 changes: 8 additions & 0 deletions puppet/modules/secretsgit/manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,14 @@
Stdlib::Absolutepath $path = '/srv/secretsgit',
Array[String] $users = [],
) {
file { '/etc/gitconfig':
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The alternative would be to set this for each repo we have, but we don't manage those. Would that be preferable? Extend the creation instructions on line 7 with a repo config.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That'd mean every time you create a repo you need someone with root permissions to edit the system config, sounds annoying to me.
(but then again, we do not create new repos that often)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That'd mean every time you create a repo you need someone with root permissions to edit the system config, sounds annoying to me.

Don't you already need that now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't being in the secrets group be enough?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then shouldn't being in the secrets group be enough to run git --git-dir $REPO config safe.directory $REPO?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Safe directory is only accepted in system and global configs, otherwise a repo could declare itself safe

ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => file('secretsgit/gitconfig'),
}

group { $group:
ensure => present,
}
Expand Down