bullion 0.7.3 → 0.9.0

data/Itsi.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+# This is the default Itsi configuration file, installed when you run `itsi init`
+# It contains a sane starting point for configuring your Itsi server.
+# You can use this file in both development and production environments.
+# Most of the options in this file can be overridden by command line options.
+# Check out itsi -h to learn more about the command line options available to you.
+
+env = ENV.fetch("APP_ENV") { ENV.fetch("RACK_ENV", "development") }
+
+# Number of worker processes to spawn
+# If more than 1, Itsi will be booted in Cluster mode
+workers ENV["ITSI_WORKERS"]&.to_i || (env == "development" ? 1 : nil)
+
+# Number of threads to spawn per worker process
+# For pure CPU bound applicationss, you'll get the best results keeping this number low
+# Setting a value of 1 is great for superficial benchmarks, but in reality
+# it's better to set this a bit higher to allow expensive requests to get overtaken and minimize head-of-line blocking
+threads ENV.fetch("ITSI_THREADS", 3)
+
+# If your application is IO bound (e.g. performing a lot of proxied HTTP requests, or heavy queries etc)
+# you can see *substantial* benefits from enabling this option.
+# To set this option, pass a string, not a class (as we will not have loaded the class yet)
+# E.g.
+# `fiber_scheduler "Itsi::Scheduler"` - The default fast and light-weight scheduler that comes with Itsi
+# `fiber_scheduler "Async::Scheduler"` - Bring your own scheduler!
+fiber_scheduler nil
+
+# If you bind to https, without specifying a certificate, Itsi will use a self-signed certificate.
+# The self-signed certificate will use a CA generated for your
+# host and stored inside `ITSI_LOCAL_CA_DIR` (Defaults to ~/.itsi)
+# bind "https://0.0.0.0:3000"
+# bind "https://0.0.0.0:3000?domains=dev.itsi.fyi"
+#
+# If you want to use let's encrypt to generate you a real certificate you
+# and pass cert=acme and an acme_email address to generate one.
+# bind "https://itsi.fyi?cert=acme&acme_email=admin@itsi.fyi"
+# You can generate certificates for multiple domains at once, by passing a comma-separated list of domains
+# bind "https://0.0.0.0?domains=foo.itsi.fyi,bar.itsi.fyi&cert=acme&acme_email=admin@itsi.fyi"
+#
+# If you already have a certificate you can specify it using the cert and key parameters
+# bind "https://itsi.fyi?cert=/path/to/cert.pem&key=/path/to/key.pem"
+#
+# You can also bind to a unix socket or a tls unix socket. E.g.
+# bind "unix:///tmp/itsi.sock"
+# bind "tls:///tmp/itsi.secure.sock"
+
+bind "http://0.0.0.0:9292"
+
+# If you want to preload the application, set preload to true
+# to load the entire rack-app defined in rack_file_name before forking.
+# Alternatively, you can preload just a specific set of gems in a group in your gemfile,
+# by providing the group name here.
+# E.g.
+#
+# preload :preload # Load gems inside the preload group
+# preload false # Don't preload.
+#
+# If you want to be able to perform zero-downtime deploys using a single itsi process,
+# you should disable preloads, so that the application is loaded fresh each time a new worker boots
+preload true
+
+# Set the maximum memory limit for each worker process in bytes
+# When this limit is reached, the worker will be gracefully restarted.
+# Only one worker is restarted at a time to ensure we don't take down
+# all of them at once, if they reach the threshold simultaneously.
+worker_memory_limit 1024 * 1024 * 1024
+
+# You can provide an optional block of code to run, when a worker hits its memory threshold
+# (Use this to send yourself an alert,
+# write metrics to disk etc. etc.)
+after_memory_limit_reached do |pid|
+  puts "Worker #{pid} has reached its memory threshold and will restart"
+end
+
+# Do clean up of any non-threadsafe resources before forking a new worker here.
+before_fork {}
+
+# Reinitialize any non-threadsafe resources after forking a new worker here.
+after_fork {}
+
+# Shutdown timeout
+# Number of seconds to wait for workers to gracefully shutdown before killing them.
+shutdown_timeout 5
+
+# Set this to false for application environments that require rack.input to be a rewindable body
+# (like Rails). For rack applications that can stream inputs, you can set this to true for a more
+# memory-efficient approach.
+stream_body false
+
+# OOB GC responses threshold
+# Specifies how frequently OOB gc should be triggered during periods where there is a gap in queued requests.
+# Setting this too low can substantially worsen performance
+oob_gc_responses_threshold 512
+
+# Log level
+# Set this to one of the following values: debug, info, warn, error, fatal
+# Can also be set using the ITSI_LOG environment variable
+log_level :info
+
+# Log Format
+# Set this to be either :plain or :json. If you leave it blank Itsi will try
+# and auto-detect the format based on the TTY environment.
+log_format :plain
+# You can mount several Ruby apps as either
+# 1. rackup files
+# 2. inline rack apps
+# 3. inline Ruby endpoints
+#
+# 1. rackup_file
+rackup_file "./config.ru"
+#
+# 2. inline rack app
+# require 'rack'
+# run(Rack::Builder.app do
+#   use Rack::CommonLogger
+#   run ->(env) { [200, { 'content-type' => 'text/plain' }, ['OK']] }
+# end)
+#
+# 3. Endpoints
+# endpoint "/" do |req|
+#   req.ok "Hello from Itsi"
+# end

data/Rakefile

@@ -48,7 +48,7 @@ task :prep do
   root_ca.version = 2
   root_ca.serial = (2**rand(10..20)) - 1
   root_ca.subject = OpenSSL::X509::Name.parse(
-    %w[test domain].reverse.map { |piece| "DC=#{piece}" }.join("/") + "/CN=bullion"
+    %w[test domain].reverse.map { "DC=#{it}" }.join("/") + "/CN=bullion"
   )
   root_ca.issuer = root_ca.subject # root CA's are "self-signed"
   root_ca.public_key = root_key.public_key
@@ -116,20 +116,23 @@ task :demo do
   system(
     "RACK_ENV=\"#{rack_env}\" DATABASE_URL=\"#{database_url}\" " \
     "LOG_LEVEL='#{ENV.fetch("LOG_LEVEL", "info")}' " \
-    "rackup -D -P #{File.expand_path(".")}/tmp/daemon.pid"
+    "itsi --daemonize"
   )
+  FileUtils.touch(File.join(File.expand_path("."), "tmp", "daemon.pid"))
 end
 
 desc "Runs a foregrounded demo environment"
 task :foreground_demo do
-  system("rackup -o 0.0.0.0 -P #{File.expand_path(".")}/tmp/daemon.pid")
+  system("itsi")
 end
 
 desc "Cleans up test or demo environment"
 task :cleanup do
   at_exit do
-    if File.exist?("#{File.expand_path(".")}/tmp/daemon.pid")
-      system("kill $(cat #{File.expand_path(".")}/tmp/daemon.pid) > /dev/null 2>&1")
+    pid_file = File.join(File.expand_path("."), "tmp", "daemon.pid")
+    if File.exist?(pid_file)
+      system("itsi stop")
+      FileUtils.rm_f(pid_file)
     end
     FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "tls.crt"))
     FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "tls.key"))

data/bullion.gemspec

@@ -24,20 +24,21 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = "~> 3.2"
+  spec.required_ruby_version = "~> 3.4"
 
+  spec.add_dependency "benchmark",            "~> 0.4"
   spec.add_dependency "dry-configurable",     "~> 1.1"
   spec.add_dependency "httparty",             "~> 0.21"
+  spec.add_dependency "itsi",                 "~> 0.2"
   spec.add_dependency "json",                 "~> 2.6"
   spec.add_dependency "jwt",                  "~> 2.7"
   spec.add_dependency "mysql2",               "~> 0.5"
   spec.add_dependency "openssl",              "~> 3.0"
   spec.add_dependency "prometheus-client",    "~> 4.2"
-  spec.add_dependency "puma",                 "~> 6.4"
   spec.add_dependency "sinatra",              "~> 3.1"
   spec.add_dependency "sinatra-activerecord", "~> 2.0"
   spec.add_dependency "sinatra-contrib",      "~> 3.1"
-  spec.add_dependency "sqlite3",              "~> 1.6"
+  spec.add_dependency "sqlite3",              "~> 2.7"
 
   spec.add_development_dependency "acme-client",         "~> 2.0"
   spec.add_development_dependency "bundler",             "~> 2.4"
@@ -47,7 +48,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rspec",               "~> 3.12"
   spec.add_development_dependency "rubocop",             "~> 1.57"
   spec.add_development_dependency "rubocop-rake",        "~> 0.6"
-  spec.add_development_dependency "rubocop-rspec",       "~> 2.25"
+  spec.add_development_dependency "rubocop-rspec",       "~> 3.5"
   spec.add_development_dependency "simplecov",           "~> 0.22"
   spec.add_development_dependency "simplecov-cobertura", "~> 2.1"
   spec.add_development_dependency "solargraph",          "~> 0.49"

data/config.ru

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-# \ -s puma
-
 require "bullion"
 Bullion.validate_config!
 

data/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2021_01_06_060335) do
+ActiveRecord::Schema[8.0].define(version: 2021_01_06_060335) do
   create_table "accounts", force: :cascade do |t|
     t.boolean "tos_agreed", default: true, null: false
     t.text "public_key", null: false

data/lib/bullion/challenge_client.rb

@@ -27,7 +27,7 @@ module Bullion
       benchtime = Benchmark.realtime do
         until success || tries >= retries
           tries += 1
-          success = perform
+          success = performs_challenge?
           if success
             LOGGER.info "Validated #{type} #{identifier}"
             challenge.status = "valid"
@@ -59,5 +59,9 @@ module Bullion
     def identifier
       challenge.identifier
     end
+
+    def performs_challenge?
+      raise NotImplementedError
+    end
   end
 end

data/lib/bullion/challenge_clients/dns.rb

@@ -8,7 +8,7 @@ module Bullion
       def self.acme_type = "dns-01"
       def type = "DNS01"
 
-      def perform
+      def performs_challenge?
         value = dns_value
         expected_value = digest_value("#{challenge.token}.#{challenge.thumbprint}")
 

data/lib/bullion/challenge_clients/http.rb

@@ -8,7 +8,7 @@ module Bullion
       def self.acme_type = "http-01"
       def type = "HTTP01"
 
-      def perform
+      def performs_challenge?
         response = begin
           retrieve_body(challenge_url)
         rescue SocketError

data/lib/bullion/helpers/acme.rb

@@ -88,7 +88,7 @@ module Bullion
 
       # Validation helpers
 
-      def validate_account_data(hash)
+      def account_data_valid?(hash)
         unless [true, false, nil].include?(hash["onlyReturnExisting"])
           raise Bullion::Acme::Errors::Malformed,
                 "Invalid onlyReturnExisting: #{hash["onlyReturnExisting"]}"
@@ -113,31 +113,31 @@ module Bullion
         true
       end
 
-      def validate_acme_csr(order, csr)
+      def acme_csr_valid?(order_csr)
+        csr = order_csr.csr
+        order = order_csr.order
         csr_attrs = extract_csr_attrs(csr)
         csr_sans = extract_csr_sans(csr_attrs)
         csr_domains = extract_csr_domains(csr_sans)
         csr_cn = cn_from_csr(csr)
 
-        order_domains = order.identifiers.map { |i| i["value"] }
-
         # Make sure the CSR has a valid public key
         raise Bullion::Acme::Errors::BadCsr unless csr.verify(csr.public_key)
 
-        return false unless order.status == "ready"
+        return false unless order.ready_status?
         raise Bullion::Acme::Errors::BadCsr unless csr_domains.include?(csr_cn)
-        raise Bullion::Acme::Errors::BadCsr unless csr_domains.sort == order_domains.sort
+        raise Bullion::Acme::Errors::BadCsr unless csr_domains.sort == order.domains.sort
 
         true
       end
 
-      def validate_order(hash)
+      def order_valid?(hash)
         validate_order_nb_and_na(hash["notBefore"], hash["notAfter"])
 
         # Don't approve empty orders
         raise Bullion::Acme::Errors::InvalidOrder, "Empty order!" if hash["identifiers"].empty?
 
-        order_domains = hash["identifiers"].select { |ident| ident["type"] == "dns" }
+        order_domains = hash["identifiers"].select { it["type"] == "dns" }
 
         # Don't approve an order with identifiers that _aren't_ of type 'dns'
         unless hash["identifiers"] == order_domains
@@ -188,7 +188,7 @@ module Bullion
 
       def extract_valid_order_domains(order_domains)
         order_domains.reject do |domain|
-          Bullion.config.ca.domains.none? { domain["value"].end_with?(_1) }
+          Bullion.config.ca.domains.none? { domain["value"].end_with?(it) }
         end
       end
     end

data/lib/bullion/helpers/ssl.rb

@@ -14,11 +14,6 @@ module Bullion
         end
       end
 
-      def openssl_compat_csr(csrdata)
-        "-----BEGIN CERTIFICATE REQUEST-----\n" \
-          "#{csrdata}-----END CERTIFICATE REQUEST-----"
-      end
-
       # @see https://tools.ietf.org/html/rfc7518#page-30
       def key_data_to_rsa(key_data)
         exponent = base64_to_long(key_data["e"])
@@ -205,7 +200,7 @@ module Bullion
         # Create a OpenSSL cert using select info from the CSR
         csr_cert = OpenSSL::X509::Certificate.new
         csr_cert.serial = cert.serial
-        csr_cert.version = 2
+        csr_cert.version = 3
         csr_cert.not_before = Time.now
         # only 90 days for ACMEv2
         csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)

data/lib/bullion/models/authorization.rb

@@ -13,6 +13,15 @@ module Bullion
 
       validates :status, inclusion: { in: %w[invalid pending ready processing valid deactivated] }
 
+      enum :status, {
+        invalid: "invalid",
+        pending: "pending",
+        ready: "ready",
+        processing: "processing",
+        valid: "valid",
+        deactivated: "deactivated"
+      }, suffix: "status"
+
       def init_values
         self.expires ||= Time.now + (60 * 60)
       end

data/lib/bullion/models/certificate.rb

@@ -10,6 +10,8 @@ module Bullion
 
       validates_presence_of :subject
 
+      has_one :order
+
       def init_values
         self.serial ||= SecureRandom.hex(4).to_i(16)
       end

data/lib/bullion/models/challenge.rb

@@ -13,6 +13,13 @@ module Bullion
       }
       validates :status, inclusion: { in: %w[invalid pending processing valid] }
 
+      enum :status, {
+        invalid: "invalid",
+        pending: "pending",
+        processing: "processing",
+        valid: "valid"
+      }, suffix: "status"
+
       def identifier
         authorization.identifier["value"]
       end
@@ -29,7 +36,7 @@ module Bullion
       end
 
       def client
-        challenge_class = Bullion.acme.challenge_clients.find { _1.acme_type == acme_type }
+        challenge_class = Bullion.acme.challenge_clients.find { it.acme_type == acme_type }
 
         unless challenge_class
           raise Bullion::Acme::Errors::UnsupportedChallengeType,

data/lib/bullion/models/order.rb

@@ -9,10 +9,19 @@ module Bullion
       after_initialize :init_values, unless: :persisted?
 
       belongs_to :account
+      belongs_to :certificate
       has_many :authorizations
 
       validates :status, inclusion: { in: %w[invalid pending ready processing valid] }
 
+      enum :status, {
+        invalid: "invalid",
+        pending: "pending",
+        ready: "ready",
+        processing: "processing",
+        valid: "valid"
+      }, suffix: "status"
+
       def init_values
         self.expires ||= Time.now + (60 * 60)
         self.not_before ||= Time.now
@@ -31,9 +40,8 @@ module Bullion
         end
       end
 
-      def certificate
-        Certificate.find(certificate_id)
-      end
+      # Used to extract domains from order (mostly for comparison with CSR)
+      def domains = identifiers.map { it["value"] }
     end
   end
 end

data/lib/bullion/models/order_csr.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Models
+    # Pseudo-model for ACMEv2 Order CSR
+    class OrderCsr
+      class << self
+        def from_acme_request(order, raw_data)
+          decoded_data = Base64.urlsafe_decode64(raw_data)
+          reencoded_data = Base64.encode64(decoded_data)
+          csr_string = openssl_compat_csr(reencoded_data)
+
+          new(order, csr_string)
+        end
+
+        private
+
+        def openssl_compat_csr(csrdata)
+          "-----BEGIN CERTIFICATE REQUEST-----\n" \
+            "#{csrdata}-----END CERTIFICATE REQUEST-----"
+        end
+      end
+
+      attr_reader :csr, :order
+
+      def initialize(order, csr)
+        @order = order.is_a?(Order) ? order : Order.find(order)
+        @csr = if csr.is_a?(String)
+                 OpenSSL::X509::Request.new(csr)
+               else
+                 csr
+               end
+      end
+    end
+  end
+end

data/lib/bullion/models.rb

@@ -6,3 +6,6 @@ require "bullion/models/certificate"
 require "bullion/models/challenge"
 require "bullion/models/nonce"
 require "bullion/models/order"
+
+# Pseudo-models (not in DB)
+require "bullion/models/order_csr"

data/lib/bullion/services/ca.rb

@@ -121,7 +121,7 @@ module Bullion
         begin
           parse_acme_jwt(header_data["jwk"], validate_nonce: false)
 
-          validate_account_data(@payload_data)
+          account_data_valid?(@payload_data)
         rescue Bullion::Acme::Error => e
           content_type "application/problem+json"
           halt 400, { type: e.acme_error, detail: e.message }.to_json
@@ -186,7 +186,7 @@ module Bullion
         add_acme_headers @new_nonce
 
         {
-          orders: @user.orders.map { |order| uri("/orders/#{order.id}") }
+          orders: @user.orders.map { uri("/orders/#{it.id}") }
         }
       end
 
@@ -196,9 +196,9 @@ module Bullion
         parse_acme_jwt
 
         # Only identifiers of type "dns" are supported
-        identifiers = @payload_data["identifiers"].select { |i| i["type"] == "dns" }
+        identifiers = @payload_data["identifiers"].select { it["type"] == "dns" }
 
-        validate_order(@payload_data)
+        order_valid?(@payload_data)
 
         order = @user.start_order(
           identifiers:,
@@ -215,7 +215,7 @@ module Bullion
           notBefore: order.not_before,
           notAfter: order.not_after,
           identifiers: order.identifiers,
-          authorizations: order.authorizations.map { |a| uri("/authorizations/#{a.id}") },
+          authorizations: order.authorizations.map { uri("/authorizations/#{it.id}") },
           finalize: uri("/orders/#{order.id}/finalize")
         }.to_json
       rescue Bullion::Acme::Error => e
@@ -238,11 +238,11 @@ module Bullion
           notBefore: order.not_before,
           notAfter: order.not_after,
           identifiers: order.identifiers,
-          authorizations: order.authorizations.map { |a| uri("/authorizations/#{a.id}") },
+          authorizations: order.authorizations.map { uri("/authorizations/#{it.id}") },
           finalize: uri("/orders/#{order.id}/finalize")
         }
 
-        data[:certificate] = uri("/certificates/#{order.certificate.id}") if order.status == "valid"
+        data[:certificate] = uri("/certificates/#{order.certificate.id}") if order.valid_status?
 
         data.to_json
       rescue Bullion::Acme::Error => e
@@ -260,14 +260,9 @@ module Bullion
         content_type "application/json"
         add_acme_headers @new_nonce, additional: { "Location" => uri("/orders/#{order.id}") }
 
-        raw_csr_data = Base64.urlsafe_decode64(@payload_data["csr"])
-        encoded_csr = Base64.encode64(raw_csr_data)
+        order_csr = Models::OrderCsr.from_acme_request(order, @payload_data["csr"])
 
-        csr_data = openssl_compat_csr(encoded_csr)
-
-        csr = OpenSSL::X509::Request.new(csr_data)
-
-        unless validate_acme_csr(order, csr)
+        unless acme_csr_valid?(order_csr)
           content_type "application/problem+json"
           halt 400, {
             type: Bullion::Acme::Errors::BadCsr.new.acme_error,
@@ -275,7 +270,7 @@ module Bullion
           }.to_json
         end
 
-        cert_id = sign_csr(csr, @user.contacts.first).last
+        cert_id = sign_csr(order_csr.csr, @user.contacts.first).last
 
         order.certificate_id = cert_id
         order.status = "valid"
@@ -287,11 +282,11 @@ module Bullion
           notBefore: order.not_before,
           notAfter: order.not_after,
           identifiers: order.identifiers,
-          authorizations: order.authorizations.map { |a| uri("/authorizations/#{a.id}") },
+          authorizations: order.authorizations.map { uri("/authorizations/#{it.id}") },
           finalize: uri("/orders/#{order.id}/finalize")
         }
 
-        data[:certificate] = uri("/certificates/#{order.certificate.id}") if order.status == "valid"
+        data[:certificate] = uri("/certificates/#{order.certificate.id}") if order.valid_status?
 
         data.to_json
       rescue Bullion::Acme::Error => e
@@ -320,7 +315,7 @@ module Bullion
             chash[:url] = uri("/challenges/#{c.id}")
             chash[:token] = c.token
             chash[:status] = c.status
-            chash[:validated] = c.validated if c.status == "valid"
+            chash[:validated] = c.validated if c.valid_status?
 
             chash
           end
@@ -355,12 +350,12 @@ module Bullion
           url: uri("/challenges/#{challenge.id}")
         }
 
-        if challenge.status == "valid"
+        if challenge.valid_status?
           data[:validated] = challenge.validated
           authorization = challenge.authorization
-          authorization.update!(status: "valid") unless authorization.status == "valid"
+          authorization.update!(status: "valid") unless authorization.valid_status?
           order = authorization.order
-          order.update!(status: "ready") unless order.status == "ready"
+          order.update!(status: "ready") unless order.ready_status?
         end
 
         add_link_relation("up", uri("/authorizations/#{challenge.authorization.id}"))
@@ -378,7 +373,7 @@ module Bullion
         add_acme_headers @new_nonce
 
         order = Models::Order.where(certificate_id: params[:id]).first
-        if order && order.status == "valid"
+        if order&.valid_status?
           content_type "application/pem-certificate-chain"
 
           cert = Models::Certificate.find(params[:id])

data/lib/bullion/version.rb

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
 module Bullion
-  VERSION = [
-    0, # major
-    7, # minor
-    3 # patch
-  ].join(".")
+  VERSION = "0.9.0"
 end

data/lib/bullion.rb

@@ -9,6 +9,7 @@ require "logger"
 require "openssl"
 
 # External requirements
+require "benchmark"
 require "dry-configurable"
 require "sinatra/base"
 require "sinatra/contrib"
@@ -31,7 +32,7 @@ module Bullion
   LOGGER.level = ENV.fetch("LOG_LEVEL", :warn)
 
   setting :ca, reader: true do
-    setting :dir, default: "tmp", constructor: -> { File.expand_path(_1) }
+    setting :dir, default: "tmp", constructor: -> { File.expand_path(it) }
     setting :secret, default: "SomeS3cret"
     setting(
       :key_path,
@@ -47,22 +48,22 @@ module Bullion
         v.include?("/") ? File.expand_path(v) : File.join(Bullion.config.ca.dir, v)
       }
     )
-    setting :domains, default: "example.com", constructor: -> { _1.split(",") }
+    setting :domains, default: "example.com", constructor: -> { it.split(",") }
     # 90 days cert expiration
-    setting :cert_validity_duration, default: 60 * 60 * 24 * 30 * 3, constructor: -> { Integer(_1) }
+    setting :cert_validity_duration, default: 60 * 60 * 24 * 30 * 3, constructor: -> { Integer(it) }
   end
 
   setting :acme, reader: true do
     setting(
       :challenge_clients,
       default: ["Bullion::ChallengeClients::DNS", "Bullion::ChallengeClients::HTTP"],
-      constructor: -> { _1.map { |n| Kernel.const_get(n.to_s) } }
+      constructor: -> { it.map { |n| Kernel.const_get(n.to_s) } }
     )
   end
 
   setting :db_url, reader: true
 
-  setting :nameservers, default: [], constructor: -> { _1.split(",") }
+  setting :nameservers, default: [], constructor: -> { it.split(",") }
 
   MetricsRegistry = Prometheus::Client.registry
 
@@ -78,7 +79,7 @@ module Bullion
     @ca_cert ||= OpenSSL::X509::Certificate.new(ca_cert_file)
   end
 
-  def self.rotate_keys!
+  def self.rotate_keys! # rubocop:disable Naming/PredicateMethod
     @ca_key = nil
     @ca_cert = nil
     ca_key

data/release-please-config.json

@@ -0,0 +1,15 @@
+{
+  "bootstrap-sha": "e9c5861bb935613ced5a908487a122f9b4136de9",
+  "last-release-sha": "e9c5861bb935613ced5a908487a122f9b4136de9",
+  "packages": {
+    ".": {
+      "package-name": "bullion",
+      "changelog-path": "CHANGELOG.md",
+      "release-type": "ruby",
+      "bump-minor-pre-major": true,
+      "bump-patch-for-minor-pre-major": true,
+      "version-file": "lib/bullion/version.rb"
+    }
+  },
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
+}