diff options
author | Ben Sima <ben@bsima.me> | 2024-11-15 14:55:37 -0500 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2024-12-21 10:06:49 -0500 |
commit | 6513755670892983db88a6633b8c1ea6019c03d1 (patch) | |
tree | 44e9eccdb7a3a74ab7e96a8fee7572dd6a78dc73 /Omni/Cloud/Git.nix | |
parent | ae7b7e0186b5f2e0dcd4d5fac0a71fa264caedc2 (diff) |
Re-namespace some stuff to Omni
I was getting confused about what is a product and what is internal
infrastructure; I think it is good to keep those things separate. So I moved a
bunch of stuff to an Omni namespace, actually most stuff went there. Only things
that are explicitly external products are still in the Biz namespace.
Diffstat (limited to 'Omni/Cloud/Git.nix')
-rw-r--r-- | Omni/Cloud/Git.nix | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/Omni/Cloud/Git.nix b/Omni/Cloud/Git.nix new file mode 100644 index 0000000..bc97d23 --- /dev/null +++ b/Omni/Cloud/Git.nix @@ -0,0 +1,119 @@ +{ lib, config, pkgs, ... }: + +let + inherit (config.networking) domain; + root = "/var/git"; + ports = import ./Ports.nix; +in { + services = { + cgit.cloud = { + enable = true; + nginx.location = "/git"; + nginx.virtualHost = "/git"; + scanPath = "/var/git/repositories"; + settings = { + strict-export = "git-daemon-export-ok"; + css = "/git/cgit.css"; + logo = "/git/cgit.png"; + root-title = "ben's git repos"; + root-desc = "building"; + enable-git-config = 1; + clone-url = lib.strings.concatStringsSep " " [ + "https://$HTTP_HOST/git/$CGIT_REPO_URL" + "git://$HTTP_HOST/$CGIT_REPO_URL" + "git@$HTTP_HOST:$CGIT_REPO_URL" + ]; + }; + }; + gitolite = { + enable = true; + enableGitAnnex = true; + dataDir = root; + user = "git"; + group = "git"; + # the umask is necessary to give the git group read permissions, otherwise + # git-daemon et al can't access the repos + extraGitoliteRc = '' + $RC{SITE_INFO} = 'a computer is a bicycle for the mind.'; + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = '.*'; + ''; + adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [ + builtins.readFile + (lib.strings.splitString "\n") + lib.lists.head + ]; + # commonHooks = [ ./git-hooks ]; + }; + gitDaemon = { + enable = true; + basePath = "${root}/repositories"; + listenAddress = domain; + user = "gitDaemon"; + group = "gitDaemon"; + }; + gerrit = { + enable = false; + builtinPlugins = [ + "commit-message-length-validator" + "delete-project" + "plugin-manager" + "singleusergroup" + "reviewnotes" + ]; + jvmOpts = [ + # https://stackoverflow.com/a/71817404 + "--add-opens" + "java.base/java.lang=ALL-UNNAMED" + "--add-opens" + "java.base/java.util=ALL-UNNAMED" + ]; + plugins = [ + (pkgs.fetchurl { + url = + "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar"; + sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk="; + }) + ]; + listenAddress = "[::]:${toString ports.gerrit}"; + serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae"; + settings = { + auth.type = "OAUTH"; + auth.gitBasicAuthPolicy = "HTTP"; + download.command = [ "checkout" "cherry_pick" "pull" "format_patch" ]; + gerrit.canonicalWebUrl = "https://gerrit.${domain}"; + httpd.listenUrl = + "proxy-https://${config.services.gerrit.listenAddress}"; + plugin.gerrit-oauth-provider-github-oauth = { + root-url = "https://github.com"; + client-id = "e48084aa0eebe31a2b18"; + }; + sshd.advertisedAddress = + "gerrit.${domain}:${toString ports.gerrit-ssh}"; + sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}"; + }; + }; + nginx.virtualHosts."gerrit.${domain}" = { + forceSSL = true; + useACMEHost = domain; + locations."/" = { + proxyPass = "http://localhost:${toString ports.gerrit}"; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + ''; + }; + }; + }; + # need to specify that these users can access git files by being part of the + # git group + users.users = { + gitDaemon = { + group = "gitDaemon"; + isSystemUser = true; + description = "Git daemon user"; + extraGroups = [ "git" ]; + }; + "nginx".extraGroups = [ "git" ]; + }; + users.groups = { gitDaemon = { }; }; +} |