feat: add git-commit-signing module

2 years ago · 8f32c34eb5
parent 08162f5894
commit 8f32c34eb5
3 changed files with 78 additions and 0 deletions
--- a/git-commit-signing/README.md
+++ b/git-commit-signing/README.md
@ -0,0 +1,23 @@
+---
+display_name: Git commit signing
+description: Configures Git to sign commits using your Coder SSH key
+icon:  ../.icons/git.svg
+maintainer_github: phorcys420
+verified: false
+tags: [helper, git]
+---
+
+# git-commit-signing
+
+This module downloads your SSH key from Coder and uses it to sign commits with Git.
+It requires `jq` to be installed inside your workspace.
+
+This is not recommended if your workspace can be accessed by other/unwanted people, in the case an administrator account on your Coder account gets breached, the attacker could gain access to your workspace and sign commits on your behalf (since the key is stored in the worksace).
+If your Coder account gets breached, the SSH key could also be used on your behalf.
+
+```hcl
+module "git-commit-signing" {
+    source = "https://registry.coder.com/modules/git-commit-signing"
+    agent_id = coder_agent.example.id
+}
+```
--- a/git-commit-signing/main.tf
+++ b/git-commit-signing/main.tf
@ -0,0 +1,29 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">= 0.12"
+    }
+  }
+}
+
+locals {
+  icon_url = "https://raw.githubusercontent.com/coder/modules/main/.icons/git.svg"
+}
+
+variable "agent_id" {
+  type        = string
+  description = "The ID of a Coder agent."
+}
+
+resource "coder_script" "git-commit-signing" {
+  display_name = "Git commit signing"
+  icon         = local.icon_url
+
+  script       = file("${path.module}/run.sh")
+  run_on_start = true
+
+  agent_id = var.agent_id
+}
--- a/git-commit-signing/run.sh
+++ b/git-commit-signing/run.sh
@ -0,0 +1,26 @@
+#!/usr/bin/env sh
+
+mkdir -p ~/.ssh
+
+echo "Downloading SSH key"
+
+ssh_key=$(curl --request GET \
+        --url "${CODER_AGENT_URL}api/v2/workspaceagents/me/gitsshkey" \
+        --header "Coder-Session-Token: ${CODER_AGENT_TOKEN}")
+
+jq --raw-output ".public_key" > ~/.ssh/coder.pub <<EOF
+$ssh_key
+EOF
+
+jq --raw-output ".private_key" > ~/.ssh/coder <<EOF
+$ssh_key
+EOF
+
+chmod -R 400 ~/.ssh/coder
+chmod -R 400 ~/.ssh/coder.pub
+
+echo "Configuring git to use the SSH key"
+
+git config --global gpg.format ssh
+git config --global commit.gpgsign true
+git config --global user.signingkey ~/.ssh/coder