tvl-depot/ops/nixos/modules/monorepo-gerrit.nix

# Gerrit configuration for the TVL monorepo
{ pkgs, config, lib, ... }:

let cfg = config.services.gerrit;
in {
  services.gerrit = {
    enable = true;
    listenAddress = "[::]:4778"; # 4778 - grrt
    serverId = "4fdfa107-4df9-4596-8e0a-1d2bbdd96e36";
    settings = {
      core.packedGitLimit = "100m";
      log.jsonLogging = true;
      log.textLogging = false;

      # Configures gerrit for being reverse-proxied by nginx as per
      # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
      gerrit.canonicalWebUrl = "https://cl.tvl.fyi";
      httpd.listenUrl = "proxy-https://${cfg.listenAddress}";

      # Configure for cgit.
      gitweb = {
        type = "custom";
        url = "https://git.tazj.in";
        project = "/";
        revision = "/commit/?id=\${commit}";
        branch = "/log/?h=\${branch}";
        tag = "/tag/?h=\${tag}";
        roottree = "/tree/?h=\${commit}";
        file = "/tree/\${file}?h=\${commit}";
        filehistory = "/log/\${file}?h=\${branch}";
        linkname = "cgit";
      };

      # Configures integration with the locally running OpenLDAP
      auth.type = "LDAP";
      ldap = {
        server = "ldap://localhost";
        accountBase = "ou=users,dc=tvl,dc=fyi";
        accountPattern = "(&(objectClass=organizationalPerson)(cn=\${username}))";
        accountFullName = "cn";
        accountEmailAddress = "mail";
        accountSshUserName = "cn";
        groupBase = "ou=groups,dc=tvl,dc=fyi";

        # TODO(tazjin): Assuming this is what we'll be doing ...
        groupMemberPattern = "(&(objectClass=group)(member=\${dn}))";
      };
    };
  };

  systemd.services.gerrit = {
    serviceConfig = {
      # There seems to be no easy way to get `DynamicUser` to play
      # well with other services (e.g. by using SupplementaryGroups,
      # which seem to have no effect) so we force the DynamicUser
      # setting for the Gerrit service to be disabled and reuse the
      # existing 'git' user.
      DynamicUser = lib.mkForce false;
      User = "git";
      Group = "git";
    };
  };
}
feat(ops/nixos): Add module for configuring Gerrit for the repo 2020-06-07 20:30:52 +02:00			`# Gerrit configuration for the TVL monorepo`
			`{ pkgs, config, lib, ... }:`

fix(monorepo-gerrit): Configure nginx reverse proxy correctly Configures the reverse-proxy as per Gerrit's documentation at https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html 2020-06-11 00:40:34 +02:00			`let cfg = config.services.gerrit;`
			`in {`
feat(ops/nixos): Add module for configuring Gerrit for the repo 2020-06-07 20:30:52 +02:00			`services.gerrit = {`
			`enable = true;`
			`listenAddress = "[::]:4778"; # 4778 - grrt`
			`serverId = "4fdfa107-4df9-4596-8e0a-1d2bbdd96e36";`
			`settings = {`
			`core.packedGitLimit = "100m";`
			`log.jsonLogging = true;`
			`log.textLogging = false;`
fix(monorepo-gerrit): Configure nginx reverse proxy correctly Configures the reverse-proxy as per Gerrit's documentation at https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html 2020-06-11 00:40:34 +02:00
			`# Configures gerrit for being reverse-proxied by nginx as per`
			`# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html`
			`gerrit.canonicalWebUrl = "https://cl.tvl.fyi";`
			`httpd.listenUrl = "proxy-https://${cfg.listenAddress}";`
feat(monorepo-gerrit): Configure Gerrit for LDAP authentication 2020-06-08 02:35:45 +02:00
feat(monorepo-gerrit): link to git.tazj.in as source browser Change-Id: Ia31389a958c1927b63dfebb7c2ed2054177410b4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/23 Reviewed-by: tazjin <mail@tazj.in> 2020-06-11 23:49:37 +02:00			`# Configure for cgit.`
			`gitweb = {`
			`type = "custom";`
			`url = "https://git.tazj.in";`
			`project = "/";`
			`revision = "/commit/?id=\${commit}";`
			`branch = "/log/?h=\${branch}";`
			`tag = "/tag/?h=\${tag}";`
			`roottree = "/tree/?h=\${commit}";`
			`file = "/tree/\${file}?h=\${commit}";`
			`filehistory = "/log/\${file}?h=\${branch}";`
			`linkname = "cgit";`
			`};`

feat(monorepo-gerrit): Configure Gerrit for LDAP authentication 2020-06-08 02:35:45 +02:00			`# Configures integration with the locally running OpenLDAP`
			`auth.type = "LDAP";`
			`ldap = {`
			`server = "ldap://localhost";`
			`accountBase = "ou=users,dc=tvl,dc=fyi";`
			`accountPattern = "(&(objectClass=organizationalPerson)(cn=\${username}))";`
			`accountFullName = "cn";`
			`accountEmailAddress = "mail";`
fix(monorepo-gerrit): Extract SSH username from LDAP correctly 2020-06-11 01:04:05 +02:00			`accountSshUserName = "cn";`
feat(monorepo-gerrit): Configure Gerrit for LDAP authentication 2020-06-08 02:35:45 +02:00			`groupBase = "ou=groups,dc=tvl,dc=fyi";`

			`# TODO(tazjin): Assuming this is what we'll be doing ...`
			`groupMemberPattern = "(&(objectClass=group)(member=\${dn}))";`
			`};`
feat(ops/nixos): Add module for configuring Gerrit for the repo 2020-06-07 20:30:52 +02:00			`};`
			`};`
fix(monorepo-gerrit): Disable 'DynamicUser' feature for Gerrit This change makes Gerrit run as the 'git' user, which can be shared by other services such as hound or cgit to access the git trees. Change-Id: Ic6c91f3e852184f5ef21f4374738cbf687462194 Reviewed-on: https://cl.tvl.fyi/c/depot/+/21 Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: isomer <isomer@tvl.in> 2020-06-11 23:47:41 +02:00
			`systemd.services.gerrit = {`
			`serviceConfig = {`
			# There seems to be no easy way to get `DynamicUser` to play
			`# well with other services (e.g. by using SupplementaryGroups,`
			`# which seem to have no effect) so we force the DynamicUser`
			`# setting for the Gerrit service to be disabled and reuse the`
			`# existing 'git' user.`
			`DynamicUser = lib.mkForce false;`
			`User = "git";`
			`Group = "git";`
			`};`
			`};`
feat(ops/nixos): Add module for configuring Gerrit for the repo 2020-06-07 20:30:52 +02:00			`}`