summaryrefslogtreecommitdiff
path: root/Omni/Cloud/Git.nix
blob: bc97d23882a912927b730e616d367c8513ae0bb8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
{ lib, config, pkgs, ... }:

let
  inherit (config.networking) domain;
  root = "/var/git";
  ports = import ./Ports.nix;
in {
  services = {
    cgit.cloud = {
      enable = true;
      nginx.location = "/git";
      nginx.virtualHost = "/git";
      scanPath = "/var/git/repositories";
      settings = {
        strict-export = "git-daemon-export-ok";
        css = "/git/cgit.css";
        logo = "/git/cgit.png";
        root-title = "ben's git repos";
        root-desc = "building";
        enable-git-config = 1;
        clone-url = lib.strings.concatStringsSep " " [
          "https://$HTTP_HOST/git/$CGIT_REPO_URL"
          "git://$HTTP_HOST/$CGIT_REPO_URL"
          "git@$HTTP_HOST:$CGIT_REPO_URL"
        ];
      };
    };
    gitolite = {
      enable = true;
      enableGitAnnex = true;
      dataDir = root;
      user = "git";
      group = "git";
      # the umask is necessary to give the git group read permissions, otherwise
      # git-daemon et al can't access the repos
      extraGitoliteRc = ''
        $RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
        $RC{UMASK} = 0027;
        $RC{GIT_CONFIG_KEYS} = '.*';
      '';
      adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [
        builtins.readFile
        (lib.strings.splitString "\n")
        lib.lists.head
      ];
      # commonHooks = [ ./git-hooks ];
    };
    gitDaemon = {
      enable = true;
      basePath = "${root}/repositories";
      listenAddress = domain;
      user = "gitDaemon";
      group = "gitDaemon";
    };
    gerrit = {
      enable = false;
      builtinPlugins = [
        "commit-message-length-validator"
        "delete-project"
        "plugin-manager"
        "singleusergroup"
        "reviewnotes"
      ];
      jvmOpts = [
        # https://stackoverflow.com/a/71817404
        "--add-opens"
        "java.base/java.lang=ALL-UNNAMED"
        "--add-opens"
        "java.base/java.util=ALL-UNNAMED"
      ];
      plugins = [
        (pkgs.fetchurl {
          url =
            "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar";
          sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk=";
        })
      ];
      listenAddress = "[::]:${toString ports.gerrit}";
      serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae";
      settings = {
        auth.type = "OAUTH";
        auth.gitBasicAuthPolicy = "HTTP";
        download.command = [ "checkout" "cherry_pick" "pull" "format_patch" ];
        gerrit.canonicalWebUrl = "https://gerrit.${domain}";
        httpd.listenUrl =
          "proxy-https://${config.services.gerrit.listenAddress}";
        plugin.gerrit-oauth-provider-github-oauth = {
          root-url = "https://github.com";
          client-id = "e48084aa0eebe31a2b18";
        };
        sshd.advertisedAddress =
          "gerrit.${domain}:${toString ports.gerrit-ssh}";
        sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}";
      };
    };
    nginx.virtualHosts."gerrit.${domain}" = {
      forceSSL = true;
      useACMEHost = domain;
      locations."/" = {
        proxyPass = "http://localhost:${toString ports.gerrit}";
        extraConfig = ''
          proxy_set_header  X-Forwarded-For $remote_addr;
        '';
      };
    };
  };
  # need to specify that these users can access git files by being part of the
  # git group
  users.users = {
    gitDaemon = {
      group = "gitDaemon";
      isSystemUser = true;
      description = "Git daemon user";
      extraGroups = [ "git" ];
    };
    "nginx".extraGroups = [ "git" ];
  };
  users.groups = { gitDaemon = { }; };
}