{ config, pkgs, lib, ... }: let cfg = config.my.services.gerrit; my-gerrit-hook = name: pkgs.writeShellScript "my-gerrit-hook" '' exec -a ${name} ${pkgs.tools.gerrit-hook}/bin/gerrit-hook "$@" ''; gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" { } '' mkdir -p $out ln -s ${my-gerrit-hook "patchset-created"} $out/patchset-created ''; oauth = pkgs.fetchurl { url = "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar"; sha256 = "312dc494c454ac15f89a289f95ea4c11344add26804aaa6a3b79d49fd92adc69"; }; in { options.my.services.gerrit = with lib; { enable = mkEnableOption "gerrit git server"; vhostName = mkOption { type = types.str; example = "cl.fcuny.net"; description = "Name for the virtual host"; }; }; config = lib.mkIf cfg.enable { users.users.git = { description = "git"; home = "/var/lib/gerrit"; useDefaultShell = true; group = "git"; isSystemUser = true; }; users.groups.git = { }; services.gerrit = { enable = true; listenAddress = "[::]:4778"; serverId = "36bc0ffe-8f33-4045-bf8b-de5f88815fc0"; builtinPlugins = [ # commands to download changes "download-commands" # to run custom hooks "hooks" # stores review information for Gerrit changes in the # refs/notes/review branch. "reviewnotes" ]; jvmHeapLimit = "4g"; plugins = [ oauth ]; # The default JDK is incompatible with gerrit. jvmPackage = pkgs.openjdk11_headless; settings = { core.packedGitLimit = "100m"; log.jsonLogging = true; log.textLogging = false; sshd.advertisedAddress = "git.fcuny.net:29418"; hooks.path = "${gerritHooks}"; cache.web_sessions.maxAge = "3 months"; plugins.allowRemoteAdmin = false; change.enableAttentionSet = true; change.enableAssignee = false; gerrit = { canonicalWebUrl = "https://${cfg.vhostName}"; docUrl = "/Documentation"; }; httpd.listenUrl = "proxy-https://localhost:4778"; download.command = [ "checkout" "cherry_pick" "format_patch" "pull" ]; # Configure for cgit. gitweb = { type = "custom"; url = "https://git.fcuny.net"; project = "/\${project}"; revision = "/commit/?id=\${commit}"; branch = "/log/?h=\${branch}"; tag = "/tag/?h=\${tag}"; roottree = "/tree/?h=\${commit}"; file = "/tree/\${file}?h=\${commit}"; filehistory = "/log/\${file}?h=\${branch}"; linkname = "cgit"; }; auth.type = "OAUTH"; # users can change their emails oauth.allowRegisterNewEmail = true; plugin.gerrit-oauth-provider-google-oauth = { client-id = "966881439540-5k20bis59lqs2bsi3rukfbveu8r0ta8q.apps.googleusercontent.com"; }; # use gerrit HTTP password auth.gitBasicAuthPolicy = "HTTP"; # Receiving email is not currently supported. sendemail = { enable = true; html = false; connectTimeout = "10sec"; from = "gerrit "; includeDiff = true; smtpEncryption = "tls"; smtpServer = "smtp.fastmail.com"; smtpServerPort = 587; }; }; }; systemd.services.gerrit = { serviceConfig = { # Using DynamicUser fails to generate correctly the ssh keys # needed for the ssh server that is managed by gerrit. # Instead, let's re-use the git user. DynamicUser = lib.mkForce false; User = "git"; Group = "git"; }; }; my.services.backup = { paths = [ "/var/lib/gerrit" ]; }; services.nginx.virtualHosts."${cfg.vhostName}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:4778"; }; }; }; }