blob: bc97d23882a912927b730e616d367c8513ae0bb8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
{ lib, config, pkgs, ... }:
let
inherit (config.networking) domain;
root = "/var/git";
ports = import ./Ports.nix;
in {
services = {
cgit.cloud = {
enable = true;
nginx.location = "/git";
nginx.virtualHost = "/git";
scanPath = "/var/git/repositories";
settings = {
strict-export = "git-daemon-export-ok";
css = "/git/cgit.css";
logo = "/git/cgit.png";
root-title = "ben's git repos";
root-desc = "building";
enable-git-config = 1;
clone-url = lib.strings.concatStringsSep " " [
"https://$HTTP_HOST/git/$CGIT_REPO_URL"
"git://$HTTP_HOST/$CGIT_REPO_URL"
"git@$HTTP_HOST:$CGIT_REPO_URL"
];
};
};
gitolite = {
enable = true;
enableGitAnnex = true;
dataDir = root;
user = "git";
group = "git";
# the umask is necessary to give the git group read permissions, otherwise
# git-daemon et al can't access the repos
extraGitoliteRc = ''
$RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
$RC{UMASK} = 0027;
$RC{GIT_CONFIG_KEYS} = '.*';
'';
adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [
builtins.readFile
(lib.strings.splitString "\n")
lib.lists.head
];
# commonHooks = [ ./git-hooks ];
};
gitDaemon = {
enable = true;
basePath = "${root}/repositories";
listenAddress = domain;
user = "gitDaemon";
group = "gitDaemon";
};
gerrit = {
enable = false;
builtinPlugins = [
"commit-message-length-validator"
"delete-project"
"plugin-manager"
"singleusergroup"
"reviewnotes"
];
jvmOpts = [
# https://stackoverflow.com/a/71817404
"--add-opens"
"java.base/java.lang=ALL-UNNAMED"
"--add-opens"
"java.base/java.util=ALL-UNNAMED"
];
plugins = [
(pkgs.fetchurl {
url =
"https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar";
sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk=";
})
];
listenAddress = "[::]:${toString ports.gerrit}";
serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae";
settings = {
auth.type = "OAUTH";
auth.gitBasicAuthPolicy = "HTTP";
download.command = [ "checkout" "cherry_pick" "pull" "format_patch" ];
gerrit.canonicalWebUrl = "https://gerrit.${domain}";
httpd.listenUrl =
"proxy-https://${config.services.gerrit.listenAddress}";
plugin.gerrit-oauth-provider-github-oauth = {
root-url = "https://github.com";
client-id = "e48084aa0eebe31a2b18";
};
sshd.advertisedAddress =
"gerrit.${domain}:${toString ports.gerrit-ssh}";
sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}";
};
};
nginx.virtualHosts."gerrit.${domain}" = {
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://localhost:${toString ports.gerrit}";
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
'';
};
};
};
# need to specify that these users can access git files by being part of the
# git group
users.users = {
gitDaemon = {
group = "gitDaemon";
isSystemUser = true;
description = "Git daemon user";
extraGroups = [ "git" ];
};
"nginx".extraGroups = [ "git" ];
};
users.groups = { gitDaemon = { }; };
}
|