diff --git a/.travis.yml b/.travis.yml index 8991c4f..29625b1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,6 +4,9 @@ dist: bionic stages: - test + - lint + - name: release + if: branch = master AND type != pull_request sudo: required cache: bundler @@ -43,3 +46,41 @@ env: script: - bin/kitchen verify ${INSTANCE} + +jobs: + include: + # Define the `lint` stage (runs `yamllint` and `commitlint`) + - stage: lint + language: node_js + node_js: lts/* + before_install: skip + script: + # Install and run `yamllint` + # Need at least `v1.17.0` for the `yaml-files` setting + - pip install --user yamllint>=1.17.0 + - yamllint -s . + # Install and run `commitlint` + - npm install @commitlint/config-conventional -D + - npm install @commitlint/travis-cli -D + - commitlint-travis + # Define the release stage that runs `semantic-release` + - stage: release + language: node_js + node_js: lts/* + before_install: skip + script: + # Update `AUTHORS.md` + - export MAINTAINER_TOKEN=${GH_TOKEN} + - go get github.com/myii/maintainer + - maintainer contributor + + # Install all dependencies required for `semantic-release` + - npm install @semantic-release/changelog@3 -D + - npm install @semantic-release/exec@3 -D + - npm install @semantic-release/git@7 -D + deploy: + provider: script + skip_cleanup: true + script: + # Run `semantic-release` + - npx semantic-release@15 diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..a8509bc --- /dev/null +++ b/.yamllint @@ -0,0 +1,30 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +# Extend the `default` configuration provided by `yamllint` +extends: default + +# Files to ignore completely +# 1. All YAML files under directory `node_modules/`, introduced during the Travis run +# 2. Any SLS files under directory `test/`, which are actually state files +ignore: | + node_modules/ + test/**/states/**/*.sls + +yaml-files: + # Default settings + - '*.yaml' + - '*.yml' + - .yamllint + # SaltStack Formulas additional settings + - '*.example' + - test/**/*.sls + +rules: + empty-values: + forbid-in-block-mappings: true + forbid-in-flow-mappings: true + line-length: + # Increase from default of `80` + # Based on https://github.com/PyCQA/flake8-bugbear#opinionated-warnings (`B950`) + max: 88 diff --git a/README.rst b/README.rst deleted file mode 100644 index 8c633f7..0000000 --- a/README.rst +++ /dev/null @@ -1,40 +0,0 @@ -stunnel-formula -=============== - -Install and configure stunnel - - -Developed on the following operating systems: - - - Ubuntu 16.04 (and accordingly installs stunnel4 via apt). - - FreeBSD (11.1) - -The following ancillary but very relevant things are not managed by this formula: - - - Firewall rules to match - -.. note:: - - See the full `Salt Formulas installation and usage instructions - `_. - -Available states -================ - -.. contents:: - :local: - -``stunnel`` ------------ - -Installs the ``stunnel`` package and sets up services defined via Pillar. - -``stunnel.pillar_certs`` ------------------ - -Manage the contents of key, cert and CA file via pillar. - -``stunnel.remove`` ------------------- - -Removes ``stunnel``, its config and its user and group. diff --git a/commitlint.config.js b/commitlint.config.js new file mode 100644 index 0000000..2f9d1aa --- /dev/null +++ b/commitlint.config.js @@ -0,0 +1,3 @@ +module.exports = { + extends: ['@commitlint/config-conventional'], +}; diff --git a/docs/CONTRIBUTING.rst b/docs/CONTRIBUTING.rst new file mode 100644 index 0000000..b7da8f4 --- /dev/null +++ b/docs/CONTRIBUTING.rst @@ -0,0 +1,159 @@ +.. _contributing: + +How to contribute +================= + +This document will eventually outline all aspects of guidance to make your contributing experience a fruitful and enjoyable one. +What it already contains is information about *commit message formatting* and how that directly affects the numerous automated processes that are used for this repo. +It also covers how to contribute to this *formula's documentation*. + +.. contents:: **Table of Contents** + +Overview +-------- + +Submitting a pull request is more than just code! +To achieve a quality product, the *tests* and *documentation* need to be updated as well. +An excellent pull request will include these in the changes, wherever relevant. + +Commit message formatting +------------------------- + +Since every type of change requires making Git commits, +we will start by covering the importance of ensuring that all of your commit +messages are in the correct format. + +Automation of multiple processes +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This formula uses `semantic-release `_ for automating numerous processes such as bumping the version number appropriately, creating new tags/releases and updating the changelog. +The entire process relies on the structure of commit messages to determine the version bump, which is then used for the rest of the automation. + +Full details are available in the upstream docs regarding the `Angular Commit Message Conventions `_. +The key factor is that the first line of the commit message must follow this format: + +.. code-block:: + + type(scope): subject + + +* E.g. ``docs(contributing): add commit message formatting instructions``. + +Besides the version bump, the changelog and release notes are formatted accordingly. +So based on the example above: + +.. + + .. raw:: html + +

Documentation

+ + * **contributing:** add commit message formatting instructions + + +* The ``type`` translates into a ``Documentation`` sub-heading. +* The ``(scope):`` will be shown in bold text without the brackets. +* The ``subject`` follows the ``scope`` as standard text. + +Linting commit messages in Travis CI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This formula uses `commitlint `_ for checking commit messages during CI testing. +This ensures that they are in accordance with the ``semantic-release`` settings. + +For more details about the default settings, refer back to the ``commitlint`` `reference rules `_. + +Relationship between commit type and version bump +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This formula applies some customisations to the defaults, as outlined in the table below, +based upon the `type `_ of the commit: + +.. list-table:: + :name: commit-type-vs-version-bump + :header-rows: 1 + :stub-columns: 0 + :widths: 1,2,3,1,1 + + * - Type + - Heading + - Description + - Bump (default) + - Bump (custom) + * - ``build`` + - Build System + - Changes related to the build system + - – + - + * - ``chore`` + - – + - Changes to the build process or auxiliary tools and libraries such as + documentation generation + - – + - + * - ``ci`` + - Continuous Integration + - Changes to the continuous integration configuration + - – + - + * - ``docs`` + - Documentation + - Documentation only changes + - – + - 0.0.1 + * - ``feat`` + - Features + - A new feature + - 0.1.0 + - + * - ``fix`` + - Bug Fixes + - A bug fix + - 0.0.1 + - + * - ``perf`` + - Performance Improvements + - A code change that improves performance + - 0.0.1 + - + * - ``refactor`` + - Code Refactoring + - A code change that neither fixes a bug nor adds a feature + - – + - 0.0.1 + * - ``revert`` + - Reverts + - A commit used to revert a previous commit + - – + - 0.0.1 + * - ``style`` + - Styles + - Changes that do not affect the meaning of the code (white-space, + formatting, missing semi-colons, etc.) + - – + - 0.0.1 + * - ``test`` + - Tests + - Adding missing or correcting existing tests + - – + - 0.0.1 + +Use ``BREAKING CHANGE`` to trigger a ``major`` version change +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Adding ``BREAKING CHANGE`` to the footer of the extended description of the commit message will **always** trigger a ``major`` version change, no matter which type has been used. +This will be appended to the changelog and release notes as well. +To preserve good formatting of these notes, the following format is prescribed: + +* ``BREAKING CHANGE: .`` + +An example of that: + +.. code-block:: git + + ... + + BREAKING CHANGE: With the removal of all of the `.sls` files under + `template package`, this formula no longer supports the installation of + packages. + diff --git a/docs/README.rst b/docs/README.rst new file mode 100644 index 0000000..a672326 --- /dev/null +++ b/docs/README.rst @@ -0,0 +1,103 @@ +.. _readme: + +stunnel-formula +=============== + +|img_travis| |img_sr| + +.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/stunnel-formula.svg?branch=master + :alt: Travis CI Build Status + :scale: 100% + :target: https://travis-ci.com/saltstack-formulas/stunnel-formula +.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg + :alt: Semantic Release + :scale: 100% + :target: https://github.com/semantic-release/semantic-release + +Formula to set up and configure stunnel. + +.. contents:: **Table of Contents** + +General notes +------------- + +See the full `SaltStack Formulas installation and usage instructions +`_. + +If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section +`_. + +If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``, +which contains the currently released version. This formula is versioned according to `Semantic Versioning `_. + +See `Formula Versioning Section `_ for more details. + +Contributing to this repo +------------------------- + +**Commit message formatting is significant!!** + +Please see :ref:`How to contribute ` for more details. + +Available states +---------------- + +.. contents:: + :local: + +``stunnel`` +^^^^^^^^^^^ +Installs and configures the stunnel package from upstream repository. + +``stunnel.pillar_certs`` +^^^^^^^^^^^^^^^^^^^^^^^^ +Manage the contents of key, cert and CA file via pillar. + +``stunnel.remove`` +^^^^^^^^^^^^^^^^^^ +Removes ``stunnel``, its config and its user and group. + +Testing +------- + +Linux testing is done with ``kitchen-salt``. + +Requirements +^^^^^^^^^^^^ + +* Ruby +* Docker + +.. code-block:: bash + + $ gem install bundler + $ bundle install + $ bin/kitchen test [platform] + +Where ``[platform]`` is the platform name defined in ``kitchen.yml``, +e.g. ``debian-9-2019-2-py3``. + +``bin/kitchen converge`` +^^^^^^^^^^^^^^^^^^^^^^^^ + +Creates the docker instance and runs the ``stunnel`` main state, ready for testing. + +``bin/kitchen verify`` +^^^^^^^^^^^^^^^^^^^^^^ + +Runs the ``inspec`` tests on the actual instance. + +``bin/kitchen destroy`` +^^^^^^^^^^^^^^^^^^^^^^^ + +Removes the docker instance. + +``bin/kitchen test`` +^^^^^^^^^^^^^^^^^^^^ + +Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``. + +``bin/kitchen login`` +^^^^^^^^^^^^^^^^^^^^^ + +Gives you SSH access to the instance for manual testing. diff --git a/pillar.example b/pillar.example index 5ae1e7d..2e8ee79 100644 --- a/pillar.example +++ b/pillar.example @@ -1,3 +1,6 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- stunnel: # These have defaults set by grains filtering in map.jinja @@ -11,21 +14,26 @@ stunnel: log_dir: /var/log/stunnel pid: /var/run/stunnel.pid debug: notice - service_defaults: # use this to override service_defaults.yaml + service_defaults: + # Use this to override service_defaults.yaml # The presence of these files per service is MANDATORY. # Managing these files is currently out of scope of this formula. # (Have a look at map.jinja to get your OS'es paths.) cert: /etc/stunnel/tls/${service_name}.crt key: /etc/stunnel/tls/${service_name}.key CAfile: /etc/stunnel/tls/${service_name}.ca + # in example: - verifyChain: yes # True and False work too - verifyPeer: yes - # for old versions of stunnel: set to None to get rid of those settings (or use the default) - verifyChain: - verifyPeer: - verify: 2 - # + # True and False work too + # verifyChain: yes + # verifyPeer: yes + + # for old versions of stunnel: set to None to get rid + # of those settings (or use the default) + # verifyChain: + # verifyPeer: + # verify: 2 + # The idea is to provide a secure default which you can later # adjust by selectively altering or deactivating certain settings. # (See below.) diff --git a/pre-commit_semantic-release.sh b/pre-commit_semantic-release.sh new file mode 100755 index 0000000..9d34d74 --- /dev/null +++ b/pre-commit_semantic-release.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +############################################################################### +# (A) Update `FORMULA` with `${nextRelease.version}` +############################################################################### +sed -i -e "s_^\(version:\).*_\1 ${1}_" FORMULA + + +############################################################################### +# (B) Use `m2r` to convert automatically produced `.md` docs to `.rst` +############################################################################### + +# Install `m2r` +sudo -H pip install m2r + +# Copy and then convert the `.md` docs +cp *.md docs/ +cd docs/ +m2r --overwrite *.md + +# Change excess `H1` headings to `H2` in converted `CHANGELOG.rst` +sed -i -e '/^=.*$/s/=/-/g' CHANGELOG.rst +sed -i -e '1,4s/-/=/g' CHANGELOG.rst + +# Use for debugging output, when required +# cat AUTHORS.rst +# cat CHANGELOG.rst + +# Return back to the main directory +cd .. diff --git a/release-rules.js b/release-rules.js new file mode 100644 index 0000000..c63c850 --- /dev/null +++ b/release-rules.js @@ -0,0 +1,18 @@ +// No release is triggered for the types commented out below. +// Commits using these types will be incorporated into the next release. +// +// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`. +module.exports = [ + {breaking: true, release: 'major'}, + // {type: 'build', release: 'patch'}, + // {type: 'chore', release: 'patch'}, + // {type: 'ci', release: 'patch'}, + {type: 'docs', release: 'patch'}, + {type: 'feat', release: 'minor'}, + {type: 'fix', release: 'patch'}, + {type: 'perf', release: 'patch'}, + {type: 'refactor', release: 'patch'}, + {type: 'revert', release: 'patch'}, + {type: 'style', release: 'patch'}, + {type: 'test', release: 'patch'}, +]; diff --git a/release.config.js b/release.config.js new file mode 100644 index 0000000..afa0cb1 --- /dev/null +++ b/release.config.js @@ -0,0 +1,106 @@ +module.exports = { + branch: 'master', + plugins: [ + ['@semantic-release/commit-analyzer', { + preset: 'angular', + releaseRules: './release-rules.js', + }], + '@semantic-release/release-notes-generator', + ['@semantic-release/changelog', { + changelogFile: 'CHANGELOG.md', + changelogTitle: '# Changelog', + }], + ['@semantic-release/exec', { + prepareCmd: 'sh ./pre-commit_semantic-release.sh ${nextRelease.version}', + }], + ['@semantic-release/git', { + assets: ['*.md', 'docs/*.rst', 'FORMULA'], + }], + '@semantic-release/github', + ], + generateNotes: { + preset: 'angular', + writerOpts: { + // Required due to upstream bug preventing all types being displayed. + // Bug: https://github.com/conventional-changelog/conventional-changelog/issues/317 + // Fix: https://github.com/conventional-changelog/conventional-changelog/pull/410 + transform: (commit, context) => { + const issues = [] + + commit.notes.forEach(note => { + note.title = `BREAKING CHANGES` + }) + + // NOTE: Any changes here must be reflected in `CONTRIBUTING.md`. + if (commit.type === `feat`) { + commit.type = `Features` + } else if (commit.type === `fix`) { + commit.type = `Bug Fixes` + } else if (commit.type === `perf`) { + commit.type = `Performance Improvements` + } else if (commit.type === `revert`) { + commit.type = `Reverts` + } else if (commit.type === `docs`) { + commit.type = `Documentation` + } else if (commit.type === `style`) { + commit.type = `Styles` + } else if (commit.type === `refactor`) { + commit.type = `Code Refactoring` + } else if (commit.type === `test`) { + commit.type = `Tests` + } else if (commit.type === `build`) { + commit.type = `Build System` + // } else if (commit.type === `chore`) { + // commit.type = `Maintenance` + } else if (commit.type === `ci`) { + commit.type = `Continuous Integration` + } else { + return + } + + if (commit.scope === `*`) { + commit.scope = `` + } + + if (typeof commit.hash === `string`) { + commit.hash = commit.hash.substring(0, 7) + } + + if (typeof commit.subject === `string`) { + let url = context.repository + ? `${context.host}/${context.owner}/${context.repository}` + : context.repoUrl + if (url) { + url = `${url}/issues/` + // Issue URLs. + commit.subject = commit.subject.replace(/#([0-9]+)/g, (_, issue) => { + issues.push(issue) + return `[#${issue}](${url}${issue})` + }) + } + if (context.host) { + // User URLs. + commit.subject = commit.subject.replace(/\B@([a-z0-9](?:-?[a-z0-9/]){0,38})/g, (_, username) => { + if (username.includes('/')) { + return `@${username}` + } + + return `[@${username}](${context.host}/${username})` + }) + } + } + + // remove references that already appear in the subject + commit.references = commit.references.filter(reference => { + if (issues.indexOf(reference.issue) === -1) { + return true + } + + return false + }) + + return commit + }, + }, + }, +}; diff --git a/stunnel/defaults.yaml b/stunnel/defaults.yaml index 647b4a1..f027666 100644 --- a/stunnel/defaults.yaml +++ b/stunnel/defaults.yaml @@ -5,7 +5,7 @@ # from top to bottom! All the settings are taken from there. # GLOBAL DEFAULTS - +--- stunnel: root_user: root root_group: root diff --git a/stunnel/os_codename_map.yaml b/stunnel/os_codename_map.yaml index 9f60fad..7999f5b 100644 --- a/stunnel/os_codename_map.yaml +++ b/stunnel/os_codename_map.yaml @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- # vim: ft=yaml - +--- jessie: {} stretch: {} diff --git a/stunnel/os_family_map.yaml b/stunnel/os_family_map.yaml index bb7f3ff..f087e3f 100644 --- a/stunnel/os_family_map.yaml +++ b/stunnel/os_family_map.yaml @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # vim: ft=yaml - +--- Debian: package: stunnel4 service: stunnel4 diff --git a/stunnel/service_defaults.yaml b/stunnel/service_defaults.yaml index 37d42b7..d44b4c5 100644 --- a/stunnel/service_defaults.yaml +++ b/stunnel/service_defaults.yaml @@ -5,9 +5,10 @@ # from top to bottom! All the settings are taken from there. # SERVICE-LEVEL DEFAULTS - +--- verifyChain: yes verifyPeer: yes +# yamllint disable rule:line-length ciphers: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA' # Allow future versions sslVersion: all @@ -16,4 +17,3 @@ options: - NO_SSLv3 - NO_TLSv1 - cipher_server_preference - diff --git a/stunnel/service_os_codename_map.yaml b/stunnel/service_os_codename_map.yaml index be653aa..efd21bf 100644 --- a/stunnel/service_os_codename_map.yaml +++ b/stunnel/service_os_codename_map.yaml @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # vim: ft=yaml - +--- # Uses < 5.06 trusty: &still_supporting_SSLv2 options: diff --git a/test/salt/pillar/stunnel.sls b/test/salt/pillar/stunnel.sls index eb043ca..1a2d952 100644 --- a/test/salt/pillar/stunnel.sls +++ b/test/salt/pillar/stunnel.sls @@ -1,3 +1,5 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml --- stunnel: config: