about summary refs log tree commit diff
path: root/modules/services/gerrit/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/services/gerrit/default.nix')
-rw-r--r--modules/services/gerrit/default.nix120
1 files changed, 120 insertions, 0 deletions
diff --git a/modules/services/gerrit/default.nix b/modules/services/gerrit/default.nix
new file mode 100644
index 0000000..485bd58
--- /dev/null
+++ b/modules/services/gerrit/default.nix
@@ -0,0 +1,120 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.my.services.gerrit;
+  oauth = pkgs.fetchurl {
+    url =
+      "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar";
+    sha256 = "312dc494c454ac15f89a289f95ea4c11344add26804aaa6a3b79d49fd92adc69";
+  };
+in {
+  options.my.services.gerrit = with lib; {
+    enable = mkEnableOption "gerrit git server";
+    vhostName = mkOption {
+      type = types.str;
+      example = "cl.fcuny.net";
+      description = "Name for the virtual host";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.git = {
+      description = "git";
+      home = "/var/lib/gerrit";
+      useDefaultShell = true;
+      group = "git";
+      isSystemUser = true;
+    };
+    users.groups.git = { };
+
+    services.gerrit = {
+      enable = true;
+      listenAddress = "[::]:4778";
+      serverId = "36bc0ffe-8f33-4045-bf8b-de5f88815fc0";
+      builtinPlugins = [ "download-commands" "hooks" ];
+      jvmHeapLimit = "4g";
+
+      plugins = [ oauth ];
+
+      # The default JDK is incompatible with gerrit.
+      jvmPackage = pkgs.openjdk11_headless;
+
+      settings = {
+        core.packedGitLimit = "100m";
+        log.jsonLogging = true;
+        log.textLogging = false;
+        sshd.advertisedAddress = "git.fcuny.net:29418";
+        cache.web_sessions.maxAge = "3 months";
+        plugins.allowRemoteAdmin = false;
+        change.enableAttentionSet = true;
+        change.enableAssignee = false;
+
+        gerrit = {
+          canonicalWebUrl = "https://${cfg.vhostName}";
+          docUrl = "/Documentation";
+        };
+
+        httpd.listenUrl = "proxy-https://localhost:4778";
+
+        download.command = [ "checkout" "cherry_pick" "format_patch" "pull" ];
+
+        # Configure for cgit.
+        gitweb = {
+          type = "custom";
+          url = "https://git.fcuny.net";
+          project = "/\${project}";
+          revision = "/commit/?id=\${commit}";
+          branch = "/log/?h=\${branch}";
+          tag = "/tag/?h=\${tag}";
+          roottree = "/tree/?h=\${commit}";
+          file = "/tree/\${file}?h=\${commit}";
+          filehistory = "/log/\${file}?h=\${branch}";
+          linkname = "cgit";
+        };
+
+        auth.type = "OAUTH";
+
+        # users can change their emails
+        oauth.allowRegisterNewEmail = true;
+
+        plugin.gerrit-oauth-provider-google-oauth = {
+          client-id =
+            "966881439540-5k20bis59lqs2bsi3rukfbveu8r0ta8q.apps.googleusercontent.com";
+        };
+
+        # use gerrit HTTP password
+        auth.gitBasicAuthPolicy = "HTTP";
+
+        # Receiving email is not currently supported.
+        sendemail = {
+          enable = true;
+          html = false;
+          connectTimeout = "10sec";
+          from = "gerrit <gerrit@fcuny.net>";
+          includeDiff = true;
+          smtpEncryption = "tls";
+          smtpServer = "smtp.fastmail.com";
+          smtpServerPort = 587;
+        };
+      };
+    };
+
+    systemd.services.gerrit = {
+      serviceConfig = {
+        # Using DynamicUser fails to generate correctly the ssh keys
+        # needed for the ssh server that is managed by gerrit.
+        # Instead, let's re-use the git user.
+        DynamicUser = lib.mkForce false;
+        User = "git";
+        Group = "git";
+      };
+    };
+
+    my.services.backup = { paths = [ "/var/lib/gerrit" ]; };
+
+    services.nginx.virtualHosts."${cfg.vhostName}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = { proxyPass = "http://127.0.0.1:4778"; };
+    };
+  };
+}