{ config, pkgs, lib, ... }: let cfg = config.my.services.gerrit; oauth = pkgs.fetchurl { url = "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar"; sha256 = "312dc494c454ac15f89a289f95ea4c11344add26804aaa6a3b79d49fd92adc69"; }; in { options.my.services.gerrit = with lib; { enable = mkEnableOption "gerrit git server"; vhostName = mkOption { type = types.str; example = "cl.fcuny.net"; description = "Name for the virtual host"; }; }; config = lib.mkIf cfg.enable { services.gerrit = { enable = true; listenAddress = "[::]:4778"; serverId = "36bc0ffe-8f33-4045-bf8b-de5f88815fc0"; builtinPlugins = [ "download-commands" "hooks" ]; jvmHeapLimit = "4g"; plugins = [ oauth ]; settings = { core.packedGitLimit = "100m"; log.jsonLogging = true; log.textLogging = false; sshd.advertisedAddress = "git.fcuny.net:29418"; cache.web_sessions.maxAge = "3 months"; plugins.allowRemoteAdmin = false; change.enableAttentionSet = true; change.enableAssignee = false; gerrit = { canonicalWebUrl = "https://${cfg.vhostName}"; docUrl = "/Documentation"; }; httpd.listenUrl = "proxy-https://localhost:4778"; download.command = [ "checkout" "cherry_pick" "format_patch" "pull" ]; auth.type = "OAUTH"; # users can change their emails oauth.allowRegisterNewEmail = true; # use gerrit HTTP password auth.gitBasicAuthPolicy = "HTTP"; # Receiving email is not currently supported. sendemail = { enable = false; }; }; }; systemd.services.gerrit = { serviceConfig = { # Using DynamicUser fails to generate correctly the ssh keys # needed for the ssh server that is managed by gerrit. # Instead, let's re-use the git user. DynamicUser = lib.mkForce false; User = "git"; Group = "git"; }; }; services.nginx.virtualHosts."${cfg.vhostName}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:4778"; }; }; }; }