summaryrefslogtreecommitdiff
path: root/Omni/Cloud/Git.nix
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2024-11-15 14:55:37 -0500
committerBen Sima <ben@bsima.me>2024-12-21 10:06:49 -0500
commit6513755670892983db88a6633b8c1ea6019c03d1 (patch)
tree44e9eccdb7a3a74ab7e96a8fee7572dd6a78dc73 /Omni/Cloud/Git.nix
parentae7b7e0186b5f2e0dcd4d5fac0a71fa264caedc2 (diff)
Re-namespace some stuff to Omni
I was getting confused about what is a product and what is internal infrastructure; I think it is good to keep those things separate. So I moved a bunch of stuff to an Omni namespace, actually most stuff went there. Only things that are explicitly external products are still in the Biz namespace.
Diffstat (limited to 'Omni/Cloud/Git.nix')
-rw-r--r--Omni/Cloud/Git.nix119
1 files changed, 119 insertions, 0 deletions
diff --git a/Omni/Cloud/Git.nix b/Omni/Cloud/Git.nix
new file mode 100644
index 0000000..bc97d23
--- /dev/null
+++ b/Omni/Cloud/Git.nix
@@ -0,0 +1,119 @@
+{ lib, config, pkgs, ... }:
+
+let
+ inherit (config.networking) domain;
+ root = "/var/git";
+ ports = import ./Ports.nix;
+in {
+ services = {
+ cgit.cloud = {
+ enable = true;
+ nginx.location = "/git";
+ nginx.virtualHost = "/git";
+ scanPath = "/var/git/repositories";
+ settings = {
+ strict-export = "git-daemon-export-ok";
+ css = "/git/cgit.css";
+ logo = "/git/cgit.png";
+ root-title = "ben's git repos";
+ root-desc = "building";
+ enable-git-config = 1;
+ clone-url = lib.strings.concatStringsSep " " [
+ "https://$HTTP_HOST/git/$CGIT_REPO_URL"
+ "git://$HTTP_HOST/$CGIT_REPO_URL"
+ "git@$HTTP_HOST:$CGIT_REPO_URL"
+ ];
+ };
+ };
+ gitolite = {
+ enable = true;
+ enableGitAnnex = true;
+ dataDir = root;
+ user = "git";
+ group = "git";
+ # the umask is necessary to give the git group read permissions, otherwise
+ # git-daemon et al can't access the repos
+ extraGitoliteRc = ''
+ $RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
+ $RC{UMASK} = 0027;
+ $RC{GIT_CONFIG_KEYS} = '.*';
+ '';
+ adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [
+ builtins.readFile
+ (lib.strings.splitString "\n")
+ lib.lists.head
+ ];
+ # commonHooks = [ ./git-hooks ];
+ };
+ gitDaemon = {
+ enable = true;
+ basePath = "${root}/repositories";
+ listenAddress = domain;
+ user = "gitDaemon";
+ group = "gitDaemon";
+ };
+ gerrit = {
+ enable = false;
+ builtinPlugins = [
+ "commit-message-length-validator"
+ "delete-project"
+ "plugin-manager"
+ "singleusergroup"
+ "reviewnotes"
+ ];
+ jvmOpts = [
+ # https://stackoverflow.com/a/71817404
+ "--add-opens"
+ "java.base/java.lang=ALL-UNNAMED"
+ "--add-opens"
+ "java.base/java.util=ALL-UNNAMED"
+ ];
+ plugins = [
+ (pkgs.fetchurl {
+ url =
+ "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar";
+ sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk=";
+ })
+ ];
+ listenAddress = "[::]:${toString ports.gerrit}";
+ serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae";
+ settings = {
+ auth.type = "OAUTH";
+ auth.gitBasicAuthPolicy = "HTTP";
+ download.command = [ "checkout" "cherry_pick" "pull" "format_patch" ];
+ gerrit.canonicalWebUrl = "https://gerrit.${domain}";
+ httpd.listenUrl =
+ "proxy-https://${config.services.gerrit.listenAddress}";
+ plugin.gerrit-oauth-provider-github-oauth = {
+ root-url = "https://github.com";
+ client-id = "e48084aa0eebe31a2b18";
+ };
+ sshd.advertisedAddress =
+ "gerrit.${domain}:${toString ports.gerrit-ssh}";
+ sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}";
+ };
+ };
+ nginx.virtualHosts."gerrit.${domain}" = {
+ forceSSL = true;
+ useACMEHost = domain;
+ locations."/" = {
+ proxyPass = "http://localhost:${toString ports.gerrit}";
+ extraConfig = ''
+ proxy_set_header X-Forwarded-For $remote_addr;
+ '';
+ };
+ };
+ };
+ # need to specify that these users can access git files by being part of the
+ # git group
+ users.users = {
+ gitDaemon = {
+ group = "gitDaemon";
+ isSystemUser = true;
+ description = "Git daemon user";
+ extraGroups = [ "git" ];
+ };
+ "nginx".extraGroups = [ "git" ];
+ };
+ users.groups = { gitDaemon = { }; };
+}