From a4e5f66ccaffff99c7520a888a1dab18db2bdf16 Mon Sep 17 00:00:00 2001
From: Ben Sima <ben@bsima.me>
Date: Sat, 12 Nov 2022 15:43:17 -0500
Subject: Deploy gerrit

---
 Biz/Cloud/Git.nix | 50 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 48 insertions(+), 2 deletions(-)

(limited to 'Biz/Cloud/Git.nix')

diff --git a/Biz/Cloud/Git.nix b/Biz/Cloud/Git.nix
index 55ca441..a3ae25c 100644
--- a/Biz/Cloud/Git.nix
+++ b/Biz/Cloud/Git.nix
@@ -1,8 +1,9 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
 
 let
   inherit (config.networking) domain;
   root = "/var/git";
+  ports = import ./Ports.nix;
 in {
   services = {
     gitolite = {
@@ -27,7 +28,7 @@ in {
     gitDaemon = {
       enable = true;
       basePath = "${root}/repositories";
-      listenAddress = "simatime.com";
+      listenAddress = domain;
       user = "gitDaemon";
       group = "gitDaemon";
     };
@@ -53,6 +54,51 @@ in {
         '')
       ];
     };
+    gerrit = {
+      enable = true;
+      builtinPlugins = [
+        "commit-message-length-validator"
+        "plugin-manager"
+        "singleusergroup"
+        "reviewnotes"
+      ];
+      jvmOpts = [
+        # https://stackoverflow.com/a/71817404
+        "--add-opens" "java.base/java.lang=ALL-UNNAMED"
+        "--add-opens" "java.base/java.util=ALL-UNNAMED"
+      ];
+      plugins = [
+        (pkgs.fetchurl {
+          url = "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar";
+          sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk=";
+        })
+      ];
+      listenAddress = "[::]:${toString ports.gerrit}";
+      serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae";
+      settings = {
+        auth.type = "OAUTH";
+        auth.gitBasicAuthPolicy = "HTTP";
+        download.command = [ "checkout" "cherry_pick" "pull" "format_patch"];
+        gerrit.canonicalWebUrl = "https://gerrit.${domain}";
+        httpd.listenUrl = "proxy-https://${config.services.gerrit.listenAddress}";
+        plugin.gerrit-oauth-provider-github-oauth = {
+          root-url = "https://github.com";
+          client-id = "e48084aa0eebe31a2b18";
+        };
+        sshd.advertisedAddress = "gerrit.${domain}:${toString ports.gerrit-ssh}";
+        sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}";
+      };
+    };
+    nginx.virtualHosts."gerrit.${domain}" = {
+      forceSSL = true;
+      useACMEHost = domain;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString ports.gerrit}";
+        extraConfig = ''
+          proxy_set_header  X-Forwarded-For $remote_addr;
+        '';
+      };
+    };
   };
   # need to specify that these users can access git files by being part of the
   # git group
-- 
cgit v1.2.3