blob: 4d04b987546e419f1b8a8a6ea94cf4275a29e8b3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
{
lib,
config,
pkgs,
...
}: let
inherit (config.networking) domain;
root = "/var/git";
ports = import ./Ports.nix;
in {
services = {
# redirect old subdirectory to new subdomain
nginx.virtualHosts.${domain}.locations."/git".return = "301 https://git.$host";
nginx.virtualHosts."git.${domain}" = {
forceSSL = true;
useACMEHost = domain;
extraConfig = ''
add_header X-Robots-Tag "noindex, follow" always;
'';
};
cgit."git.${domain}" = {
enable = true;
user = "git";
group = "git";
nginx.location = "/";
scanPath = "/var/git/repositories";
settings = {
strict-export = "git-daemon-export-ok";
root-title = "ben's git repos";
root-desc = "xmpp:buildlog@conference.simatime.com";
enable-git-config = 1;
clone-url = lib.strings.concatStringsSep " " [
# this doesn't work because git-daemon runs as user gitDaemon, but
# gitolite uses the user 'git', and git says "fatal: detected dubious
# ownership" if the repo isn't owned by the user executing the git
# command. so gitDaemon cannot access the repos. if i try to set both
# users to just 'git' then i get a uid collision. so just forget it
# "git://$HTTP_HOST/$CGIT_REPO_URL" # must be same as gitDaemon.listenAddress
"git@${domain}:$CGIT_REPO_URL"
];
};
};
gitolite = {
enable = true;
enableGitAnnex = true;
dataDir = root;
user = "git";
group = "git";
# the umask is necessary to give the git group read permissions, otherwise
# git-daemon et al can't access the repos
extraGitoliteRc = ''
$RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
$RC{UMASK} = 0027;
$RC{GIT_CONFIG_KEYS} = '.*';
'';
adminPubkey = lib.trivial.pipe ../Keys/Ben.pub [
builtins.readFile
(lib.strings.splitString "\n")
lib.lists.head
];
# commonHooks = [ ./git-hooks ];
};
gitDaemon = {
enable = true;
basePath = "${root}/repositories";
listenAddress = "git.${domain}";
user = "gitDaemon";
group = "gitDaemon";
};
gerrit = {
enable = false;
builtinPlugins = [
"commit-message-length-validator"
"delete-project"
"plugin-manager"
"singleusergroup"
"reviewnotes"
];
jvmOpts = [
# https://stackoverflow.com/a/71817404
"--add-opens"
"java.base/java.lang=ALL-UNNAMED"
"--add-opens"
"java.base/java.util=ALL-UNNAMED"
];
plugins = [
(pkgs.fetchurl {
url = "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar";
sha256 = "sha256-MS3ElMRUrBX4miiflepMETRK3SaASqpqO3nUn9kq3Gk=";
})
];
listenAddress = "[::]:${toString ports.gerrit}";
serverId = "cc6cca15-2a7e-4946-89b9-67f5d6d996ae";
settings = {
auth.type = "OAUTH";
auth.gitBasicAuthPolicy = "HTTP";
download.command = ["checkout" "cherry_pick" "pull" "format_patch"];
gerrit.canonicalWebUrl = "https://gerrit.${domain}";
httpd.listenUrl = "proxy-https://${config.services.gerrit.listenAddress}";
plugin.gerrit-oauth-provider-github-oauth = {
root-url = "https://github.com";
client-id = "e48084aa0eebe31a2b18";
};
sshd.advertisedAddress = "gerrit.${domain}:${toString ports.gerrit-ssh}";
sshd.listenAddress = "[::]:${toString ports.gerrit-ssh}";
};
};
nginx.virtualHosts."gerrit.${domain}" = {
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://localhost:${toString ports.gerrit}";
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
'';
};
};
};
# need to specify that these users can access git files by being part of the
# git group
users.users = {
gitDaemon = {
group = "gitDaemon";
isSystemUser = true;
description = "Git daemon user";
extraGroups = ["git"];
};
nginx.extraGroups = ["git"];
};
users.groups = {gitDaemon = {};};
}
|
