Phil Pennock philpennock

## gitolite nats notifications in Go
This is for gitolite to publish notifications to NATS with details of commits.
I use the "hooks in admin repo" approach: I have root on the gitolite server and only I have commit access.
The only action taken outside of this repo was to install Go (1.15.5).

This approach uses a shell wrapper to on-demand re-compile the binary hook, which is written in Go.

Shell script:  local/hooks/repo-specific/wrap-go-nats-publish.post-receive
Symlink:       local/hooks/common/post-receive -> ../repo-specific/wrap-go-nats-publish.post-receive
Go source:     local/src/nats-publish-postreceive.go

## nats-publish.post-receive.sh
#!/usr/bin/env bash
set -euo pipefail

progname="$(basename "$0" .sh)"
stderr() { printf >&2 '%s: %s\n' "$progname" "$*"; }
die() { stderr "$@"; exit 1; }

# Tunable
: "${NATS_SERVER:=nats.example.org}"
# Contractually has to have been provided, but this helps with command-line

## time_render.py
#!/usr/bin/env python3

"""
time_render: render time as given on cmdline

Convert epoch time (default) to something human-readable.
Handle obscenely large numbers.
"""

# DNS uses u_int48_t (for TSIG) which is seconds since Unix epoch.

## github_curl.sh
#!/usr/bin/env bash
set -euo pipefail
# Switched to bash so that we could bind variables for GraphQL
# TODO:
#  * Rewrite in Go
#  * Handle paging, iterate
#  * Consider session keyring with timeout for caching PATs if had to be pulled from PGP-encrypted files
#  * see if there's a Go implementation of the jq language
#  * ability to take graphql queries from files/fds and munge into the correct
#    format.

## dns-email.sh
#!/usr/bin/env bash
#
# Copyright 2020 Pennock Tech, LLC
# No warranty, this is a proof-of-concept not a final product.
# MIT-style license.

set -euo pipefail

# This might need to switch to another language for concurrency and handling
# the queries which are rarer, but this is a decent start as a proof-of-concept.

## linode-known_hosts
lish-atlanta.linode.com,66.228.57.75,2600:3c02::f03c:91ff:fe93:e3bb ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC1YiyKqGc3i93G+/uzaHkNBm/GmwgkSoHBJD6CNam8dTo2zLZjCOBipb4OjbCHk3Nk6JrjC/at9H+iN7H7m8Vo=
lish-atlanta.linode.com,66.228.57.75,2600:3c02::f03c:91ff:fe93:e3bb ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm+yFvNDZoSTVaQguo6HWCEHnUWHGbN2TdGWm2Mt9rY
lish-atlanta.linode.com,66.228.57.75,2600:3c02::f03c:91ff:fe93:e3bb ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVkOduQVZUDg6HBPWWjrRa7d45yJyZYfwu4/yqIRowZjoCAQ1ktJcvXg0ABGaQTPmc4dHrQa4pZmAkZRrBgu/xtdl3b9PLY1xQltmJAgYJ2z4SjJQFk7qZLjv2IqMJM7wOwjCLo92rCBk78cIWr0jl1f5qE+i63CH0E3P6k8tD+t+y1RU3Kwx4h1It3tPa45wqLuBsFFgmPfc0ztwYOjONUJGoRK7k4q198gRWmO6mEBTeOJkigfhuPb+BW53m9p1jLuCIP+BwMoG3kB8e0ZKq17IS/Y59+POfqIaFqQC50AAJwZsks2DZYWJPEql6XSgX4WW0IH7KG1m17j5r2xO1

lish-dallas.linode.com,173.255.198.137,2600:3c00::f03c:91ff:fe93:2fd7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGlT+WXbL+tUi40riCGUeYmNboTCGOgJgbYESmBfwP71aX9Mjm1Y44

## gpg_refresh_external_domains.sh
#!/usr/bin/env bash
set -eu

# Warning: we assume that the input of the list of domains to refresh is
# trusted, and free from abusive characters.  So the only adjustments for using
# within a PCRE regexp we apply is "escape the dots to be literal".

progname="$(basename "$0" .sh)"
die() { printf >&2 '%s: %s\n' "$progname" "$*"; exit 1; }
usage() {

## tflint
#!/bin/bash -eu

DOCKER_IMAGE_NAME='tflint'

KeepEnvVars=( AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION )

DockerArgs=()
CmdArgs=()
PwdMountFlags='ro'

## aws-vault-unlock
#!/usr/bin/env python3
#
# Copyright © 2020 Pennock Tech, LLC
# SPDX-License-Identifier: MIT

"""
aws-vault-unlock: unlock (or lock) the awsvault libsecret collection

The XDG folks specify the Secret service available over D-Bus.
When everything works right, 99designs/aws-vault trying to access a locked

## perlgssapi-code_GSSAPI_fix-macOS-heimdal.patch
Index: GSSAPI.xs
===================================================================
--- GSSAPI.xs	(revision 73)
+++ GSSAPI.xs	(working copy)
@@ -6,6 +6,8 @@
 #define __GSS_KRB5_NT_PRINCIPAL_NAME &mygss_nt_krb5_principal
 #define __gss_mech_krb5_v2 &mygss_mech_krb5_v2

+#define GSSKRB_APPLE_DEPRECATED(x) /**/
+
	This is for gitolite to publish notifications to NATS with details of commits.
	I use the "hooks in admin repo" approach: I have root on the gitolite server and only I have commit access.
	The only action taken outside of this repo was to install Go (1.15.5).

	This approach uses a shell wrapper to on-demand re-compile the binary hook, which is written in Go.

	Shell script: local/hooks/repo-specific/wrap-go-nats-publish.post-receive
	Symlink: local/hooks/common/post-receive -> ../repo-specific/wrap-go-nats-publish.post-receive
	Go source: local/src/nats-publish-postreceive.go
	#!/usr/bin/env bash
	set -euo pipefail

	progname="$(basename "$0" .sh)"
	stderr() { printf >&2 '%s: %s\n' "$progname" "$*"; }
	die() { stderr "$@"; exit 1; }

	# Tunable
	: "${NATS_SERVER:=nats.example.org}"
	# Contractually has to have been provided, but this helps with command-line
	#!/usr/bin/env python3

	"""
	time_render: render time as given on cmdline

	Convert epoch time (default) to something human-readable.
	Handle obscenely large numbers.
	"""

	# DNS uses u_int48_t (for TSIG) which is seconds since Unix epoch.
	#!/usr/bin/env bash
	set -euo pipefail
	# Switched to bash so that we could bind variables for GraphQL
	# TODO:
	# * Rewrite in Go
	# * Handle paging, iterate
	# * Consider session keyring with timeout for caching PATs if had to be pulled from PGP-encrypted files
	# * see if there's a Go implementation of the jq language
	# * ability to take graphql queries from files/fds and munge into the correct
	# format.
	#!/usr/bin/env bash
	#
	# Copyright 2020 Pennock Tech, LLC
	# No warranty, this is a proof-of-concept not a final product.
	# MIT-style license.

	set -euo pipefail

	# This might need to switch to another language for concurrency and handling
	# the queries which are rarer, but this is a decent start as a proof-of-concept.
	lish-atlanta.linode.com,66.228.57.75,2600:3c02::f03c:91ff:fe93:e3bb ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC1YiyKqGc3i93G+/uzaHkNBm/GmwgkSoHBJD6CNam8dTo2zLZjCOBipb4OjbCHk3Nk6JrjC/at9H+iN7H7m8Vo=
	lish-atlanta.linode.com,66.228.57.75,2600:3c02::f03c:91ff:fe93:e3bb ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm+yFvNDZoSTVaQguo6HWCEHnUWHGbN2TdGWm2Mt9rY
	lish-atlanta.linode.com,66.228.57.75,2600:3c02::f03c:91ff:fe93:e3bb ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVkOduQVZUDg6HBPWWjrRa7d45yJyZYfwu4/yqIRowZjoCAQ1ktJcvXg0ABGaQTPmc4dHrQa4pZmAkZRrBgu/xtdl3b9PLY1xQltmJAgYJ2z4SjJQFk7qZLjv2IqMJM7wOwjCLo92rCBk78cIWr0jl1f5qE+i63CH0E3P6k8tD+t+y1RU3Kwx4h1It3tPa45wqLuBsFFgmPfc0ztwYOjONUJGoRK7k4q198gRWmO6mEBTeOJkigfhuPb+BW53m9p1jLuCIP+BwMoG3kB8e0ZKq17IS/Y59+POfqIaFqQC50AAJwZsks2DZYWJPEql6XSgX4WW0IH7KG1m17j5r2xO1

	lish-dallas.linode.com,173.255.198.137,2600:3c00::f03c:91ff:fe93:2fd7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGlT+WXbL+tUi40riCGUeYmNboTCGOgJgbYESmBfwP71aX9Mjm1Y44
	#!/usr/bin/env bash
	set -eu

	# Warning: we assume that the input of the list of domains to refresh is
	# trusted, and free from abusive characters. So the only adjustments for using
	# within a PCRE regexp we apply is "escape the dots to be literal".

	progname="$(basename "$0" .sh)"
	die() { printf >&2 '%s: %s\n' "$progname" "$*"; exit 1; }
	usage() {
	#!/bin/bash -eu

	DOCKER_IMAGE_NAME='tflint'

	KeepEnvVars=( AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION )

	DockerArgs=()
	CmdArgs=()
	PwdMountFlags='ro'
	#!/usr/bin/env python3
	#
	# Copyright © 2020 Pennock Tech, LLC
	# SPDX-License-Identifier: MIT

	"""
	aws-vault-unlock: unlock (or lock) the awsvault libsecret collection

	The XDG folks specify the Secret service available over D-Bus.
	When everything works right, 99designs/aws-vault trying to access a locked
	Index: GSSAPI.xs
	===================================================================
	--- GSSAPI.xs (revision 73)
	+++ GSSAPI.xs (working copy)
	@@ -6,6 +6,8 @@
	#define __GSS_KRB5_NT_PRINCIPAL_NAME &mygss_nt_krb5_principal
	#define __gss_mech_krb5_v2 &mygss_mech_krb5_v2

	+#define GSSKRB_APPLE_DEPRECATED(x) /**/
	+