{ lib, config, pkgs, ... }: let inherit (config.networking) domain; root = "/var/git"; ports = import ./Ports.nix; in { services = { gitolite = { enable = true; enableGitAnnex = true; dataDir = root; user = "git"; group = "git"; # the umask is necessary to give the git group read permissions, otherwise # git-daemon et al can't access the repos extraGitoliteRc = '' $RC{SITE_INFO} = 'a computer is a bicycle for the mind.'; $RC{UMASK} = 0027; $RC{GIT_CONFIG_KEYS} = '.*'; ''; adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [ builtins.readFile (lib.strings.splitString "\n") lib.lists.head ]; # commonHooks = [ ./git-hooks ]; }; gitDaemon = { enable = true; basePath = "${root}/repositories"; listenAddress = domain; user = "gitDaemon"; group = "gitDaemon"; }; nginx.virtualHosts.${domain}.cgit = { enable = true; location = "/git"; allowCrawlers = false; virtual-root = "/git"; css = "/git/cgit.css"; logo = "/git/cgit.png"; root-title = "ben's git repos"; root-desc = "building"; enable-git-config = 1; clone-url = lib.strings.concatStringsSep " " [ "https://$HTTP_HOST/git/$CGIT_REPO_URL" "git://$HTTP_HOST/$CGIT_REPO_URL" "git@$HTTP_HOST:$CGIT_REPO_URL" ]; include = [ # these depend on order, scan-path must come last (builtins.toFile "cgitrc" '' strict-export=git-daemon-export-ok scan-path=${root}/repositories '') ]; }; gerrit = { enable = false; builtinPlugins = [ "commit-message-length-validator" "delete-project" "plugin-manager" "singleusergroup" "reviewnotes" ]; jvmOpts = [ # https://stackoverflow.com/a/71817404 "--add-opens" "java.base/java.lang=ALL-UNNAMED" "--add-opens" "java.base/java.util=ALL-UNNAMED" ]; plugins = [ (pkgs.fetchurl { url = "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar"; sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk="; }) ]; listenAddress = "[::]:${toString ports.gerrit}"; serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae"; settings = { auth.type = "OAUTH"; auth.gitBasicAuthPolicy = "HTTP"; download.command = [ "checkout" "cherry_pick" "pull" "format_patch"]; gerrit.canonicalWebUrl = "https://gerrit.${domain}"; httpd.listenUrl = "proxy-https://${config.services.gerrit.listenAddress}"; plugin.gerrit-oauth-provider-github-oauth = { root-url = "https://github.com"; client-id = "e48084aa0eebe31a2b18"; }; sshd.advertisedAddress = "gerrit.${domain}:${toString ports.gerrit-ssh}"; sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}"; }; }; nginx.virtualHosts."gerrit.${domain}" = { forceSSL = true; useACMEHost = domain; locations."/" = { proxyPass = "http://localhost:${toString ports.gerrit}"; extraConfig = '' proxy_set_header X-Forwarded-For $remote_addr; ''; }; }; }; # need to specify that these users can access git files by being part of the # git group users.users = { gitDaemon = { group = "gitDaemon"; isSystemUser = true; description = "Git daemon user"; extraGroups = [ "git" ]; }; "nginx".extraGroups = [ "git" ]; }; users.groups = { gitDaemon = {}; }; }