{ lib, config, pkgs, ... }: let inherit (config.networking) domain; root = "/var/git"; ports = import ./Ports.nix; in { services = { # redirect old subdirectory to new subdomain nginx.virtualHosts.${domain}.locations."/git".return = "301 https://git.$host"; nginx.virtualHosts."git.${domain}" = { forceSSL = true; useACMEHost = domain; extraConfig = '' add_header X-Robots-Tag "noindex, follow" always; ''; }; cgit."git.${domain}" = { enable = true; user = "git"; group = "git"; nginx.location = "/"; scanPath = "/var/git/repositories"; settings = { strict-export = "git-daemon-export-ok"; root-title = "ben's git repos"; root-desc = "xmpp:buildlog@conference.simatime.com"; enable-git-config = 1; clone-url = lib.strings.concatStringsSep " " [ # this doesn't work because git-daemon runs as user gitDaemon, but # gitolite uses the user 'git', and git says "fatal: detected dubious # ownership" if the repo isn't owned by the user executing the git # command. so gitDaemon cannot access the repos. if i try to set both # users to just 'git' then i get a uid collision. so just forget it # "git://$HTTP_HOST/$CGIT_REPO_URL" # must be same as gitDaemon.listenAddress "git@${domain}:$CGIT_REPO_URL" ]; }; }; gitolite = { enable = true; enableGitAnnex = true; dataDir = root; user = "git"; group = "git"; # the umask is necessary to give the git group read permissions, otherwise # git-daemon et al can't access the repos extraGitoliteRc = '' $RC{SITE_INFO} = 'a computer is a bicycle for the mind.'; $RC{UMASK} = 0027; $RC{GIT_CONFIG_KEYS} = '.*'; ''; adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [ builtins.readFile (lib.strings.splitString "\n") lib.lists.head ]; # commonHooks = [ ./git-hooks ]; }; gitDaemon = { enable = true; basePath = "${root}/repositories"; listenAddress = "git.${domain}"; user = "gitDaemon"; group = "gitDaemon"; }; gerrit = { enable = false; builtinPlugins = [ "commit-message-length-validator" "delete-project" "plugin-manager" "singleusergroup" "reviewnotes" ]; jvmOpts = [ # https://stackoverflow.com/a/71817404 "--add-opens" "java.base/java.lang=ALL-UNNAMED" "--add-opens" "java.base/java.util=ALL-UNNAMED" ]; plugins = [ (pkgs.fetchurl { url = "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar"; sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk="; }) ]; listenAddress = "[::]:${toString ports.gerrit}"; serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae"; settings = { auth.type = "OAUTH"; auth.gitBasicAuthPolicy = "HTTP"; download.command = ["checkout" "cherry_pick" "pull" "format_patch"]; gerrit.canonicalWebUrl = "https://gerrit.${domain}"; httpd.listenUrl = "proxy-https://${config.services.gerrit.listenAddress}"; plugin.gerrit-oauth-provider-github-oauth = { root-url = "https://github.com"; client-id = "e48084aa0eebe31a2b18"; }; sshd.advertisedAddress = "gerrit.${domain}:${toString ports.gerrit-ssh}"; sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}"; }; }; nginx.virtualHosts."gerrit.${domain}" = { forceSSL = true; useACMEHost = domain; locations."/" = { proxyPass = "http://localhost:${toString ports.gerrit}"; extraConfig = '' proxy_set_header X-Forwarded-For $remote_addr; ''; }; }; }; # need to specify that these users can access git files by being part of the # git group users.users = { gitDaemon = { group = "gitDaemon"; isSystemUser = true; description = "Git daemon user"; extraGroups = ["git"]; }; nginx.extraGroups = ["git"]; }; users.groups = {gitDaemon = {};}; }