From adab5a14d48e7a79a9b72e5d3567b03da97a14d0 Mon Sep 17 00:00:00 2001
From: Sasi Olin <hellcp@opensuse.org>
Date: Feb 19 2022 06:32:53 +0000
Subject: Merge branch 'pagure' into 'production'


Restrict permissions on pagure configs

See merge request infra/salt!542
---

diff --git a/salt/profile/pagure/files/pagure.cfg b/salt/profile/pagure/files/pagure.cfg
index 97a1171..a6bb1ec 100644
--- a/salt/profile/pagure/files/pagure.cfg
+++ b/salt/profile/pagure/files/pagure.cfg
@@ -306,3 +306,6 @@ REPOSPANNER_REGIONS = {}
 # PAGURE_PLUGINS_CONFIG = "/etc/pagure/plugins.cfg"
 
 THEME = 'chameleon'
+
+# Ensure openid return traffic is encrypted
+PREFERRED_URL_SCHEME = 'https'
diff --git a/salt/profile/pagure/init.sls b/salt/profile/pagure/init.sls
index c91d13c..bfbeb43 100644
--- a/salt/profile/pagure/init.sls
+++ b/salt/profile/pagure/init.sls
@@ -21,6 +21,8 @@ pagure_conf:
     - name: /etc/pagure/pagure.cfg
     - source: salt://profile/pagure/files/pagure.cfg
     - template: jinja
+    - group: git
+    - mode: '0640'
     - require_in:
       - service: pagure_web_service
     - watch_in:
@@ -40,6 +42,8 @@ pagure_alembic_conf:
     - name: /etc/pagure/alembic.ini
     - source: salt://profile/pagure/files/alembic.ini
     - template: jinja
+    - group: git
+    - mode: '0640'
     - require_in:
       - service: pagure_web_service
     - watch_in: