diff options
Diffstat (limited to 'modules/services/gerrit/default.nix')
-rw-r--r-- | modules/services/gerrit/default.nix | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/modules/services/gerrit/default.nix b/modules/services/gerrit/default.nix new file mode 100644 index 0000000..485bd58 --- /dev/null +++ b/modules/services/gerrit/default.nix @@ -0,0 +1,120 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.my.services.gerrit; + oauth = pkgs.fetchurl { + url = + "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar"; + sha256 = "312dc494c454ac15f89a289f95ea4c11344add26804aaa6a3b79d49fd92adc69"; + }; +in { + options.my.services.gerrit = with lib; { + enable = mkEnableOption "gerrit git server"; + vhostName = mkOption { + type = types.str; + example = "cl.fcuny.net"; + description = "Name for the virtual host"; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.git = { + description = "git"; + home = "/var/lib/gerrit"; + useDefaultShell = true; + group = "git"; + isSystemUser = true; + }; + users.groups.git = { }; + + services.gerrit = { + enable = true; + listenAddress = "[::]:4778"; + serverId = "36bc0ffe-8f33-4045-bf8b-de5f88815fc0"; + builtinPlugins = [ "download-commands" "hooks" ]; + jvmHeapLimit = "4g"; + + plugins = [ oauth ]; + + # The default JDK is incompatible with gerrit. + jvmPackage = pkgs.openjdk11_headless; + + settings = { + core.packedGitLimit = "100m"; + log.jsonLogging = true; + log.textLogging = false; + sshd.advertisedAddress = "git.fcuny.net:29418"; + cache.web_sessions.maxAge = "3 months"; + plugins.allowRemoteAdmin = false; + change.enableAttentionSet = true; + change.enableAssignee = false; + + gerrit = { + canonicalWebUrl = "https://${cfg.vhostName}"; + docUrl = "/Documentation"; + }; + + httpd.listenUrl = "proxy-https://localhost:4778"; + + download.command = [ "checkout" "cherry_pick" "format_patch" "pull" ]; + + # Configure for cgit. + gitweb = { + type = "custom"; + url = "https://git.fcuny.net"; + project = "/\${project}"; + revision = "/commit/?id=\${commit}"; + branch = "/log/?h=\${branch}"; + tag = "/tag/?h=\${tag}"; + roottree = "/tree/?h=\${commit}"; + file = "/tree/\${file}?h=\${commit}"; + filehistory = "/log/\${file}?h=\${branch}"; + linkname = "cgit"; + }; + + auth.type = "OAUTH"; + + # users can change their emails + oauth.allowRegisterNewEmail = true; + + plugin.gerrit-oauth-provider-google-oauth = { + client-id = + "966881439540-5k20bis59lqs2bsi3rukfbveu8r0ta8q.apps.googleusercontent.com"; + }; + + # use gerrit HTTP password + auth.gitBasicAuthPolicy = "HTTP"; + + # Receiving email is not currently supported. + sendemail = { + enable = true; + html = false; + connectTimeout = "10sec"; + from = "gerrit <gerrit@fcuny.net>"; + includeDiff = true; + smtpEncryption = "tls"; + smtpServer = "smtp.fastmail.com"; + smtpServerPort = 587; + }; + }; + }; + + systemd.services.gerrit = { + serviceConfig = { + # Using DynamicUser fails to generate correctly the ssh keys + # needed for the ssh server that is managed by gerrit. + # Instead, let's re-use the git user. + DynamicUser = lib.mkForce false; + User = "git"; + Group = "git"; + }; + }; + + my.services.backup = { paths = [ "/var/lib/gerrit" ]; }; + + services.nginx.virtualHosts."${cfg.vhostName}" = { + forceSSL = true; + enableACME = true; + locations."/" = { proxyPass = "http://127.0.0.1:4778"; }; + }; + }; +} |