2020-06-07 20:30:52 +02:00
|
|
|
# Gerrit configuration for the TVL monorepo
|
2021-04-02 14:18:50 +02:00
|
|
|
{ depot, pkgs, config, lib, ... }:
|
2020-06-07 20:30:52 +02:00
|
|
|
|
2020-06-13 07:02:19 +02:00
|
|
|
let
|
|
|
|
cfg = config.services.gerrit;
|
2021-11-29 16:53:54 +01:00
|
|
|
|
2021-12-06 17:19:05 +01:00
|
|
|
besadiiWithConfig = name: pkgs.writeShellScript "besadii-whitby" ''
|
2021-12-10 14:11:19 +01:00
|
|
|
export BESADII_CONFIG=/run/agenix/gerrit-besadii-config
|
2021-12-06 17:19:05 +01:00
|
|
|
exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
|
2021-11-29 16:53:54 +01:00
|
|
|
'';
|
|
|
|
|
2022-09-26 19:33:05 +02:00
|
|
|
gerritHooks = pkgs.runCommand "gerrit-hooks" { } ''
|
2020-06-13 07:11:38 +02:00
|
|
|
mkdir -p $out
|
2021-12-06 17:19:05 +01:00
|
|
|
ln -s ${besadiiWithConfig "change-merged"} $out/change-merged
|
|
|
|
ln -s ${besadiiWithConfig "patchset-created"} $out/patchset-created
|
2020-06-13 07:02:19 +02:00
|
|
|
'';
|
2022-01-30 17:06:58 +01:00
|
|
|
in
|
|
|
|
{
|
2020-06-07 20:30:52 +02:00
|
|
|
services.gerrit = {
|
|
|
|
enable = true;
|
|
|
|
listenAddress = "[::]:4778"; # 4778 - grrt
|
|
|
|
serverId = "4fdfa107-4df9-4596-8e0a-1d2bbdd96e36";
|
2022-07-03 14:28:51 +02:00
|
|
|
|
2020-06-13 07:02:19 +02:00
|
|
|
builtinPlugins = [
|
|
|
|
"download-commands"
|
|
|
|
"hooks"
|
2022-07-03 14:28:51 +02:00
|
|
|
"replication"
|
2020-06-13 07:02:19 +02:00
|
|
|
];
|
2020-06-13 04:32:46 +02:00
|
|
|
|
2021-04-02 14:18:50 +02:00
|
|
|
plugins = with depot.third_party.gerrit_plugins; [
|
2022-09-19 07:36:40 +02:00
|
|
|
code-owners
|
2021-04-03 17:54:42 +02:00
|
|
|
oauth
|
2021-04-06 18:47:48 +02:00
|
|
|
depot.ops.gerrit-tvl
|
2020-06-13 20:30:48 +02:00
|
|
|
];
|
|
|
|
|
2021-04-02 14:18:50 +02:00
|
|
|
package = depot.third_party.gerrit;
|
2020-06-14 19:58:53 +02:00
|
|
|
|
2020-07-11 02:35:00 +02:00
|
|
|
jvmHeapLimit = "4g";
|
|
|
|
|
2021-08-12 14:35:37 +02:00
|
|
|
# In some NixOS channel bump, the default version of OpenJDK has
|
|
|
|
# changed to one that is incompatible with our current version of
|
|
|
|
# Gerrit.
|
|
|
|
#
|
|
|
|
# TODO(tazjin): Update Gerrit and remove this when possible.
|
2024-02-11 05:39:37 +01:00
|
|
|
jvmPackage = pkgs.openjdk17_headless;
|
2021-08-12 14:35:37 +02:00
|
|
|
|
2020-06-07 20:30:52 +02:00
|
|
|
settings = {
|
|
|
|
core.packedGitLimit = "100m";
|
|
|
|
log.jsonLogging = true;
|
|
|
|
log.textLogging = false;
|
2020-06-13 04:31:17 +02:00
|
|
|
sshd.advertisedAddress = "code.tvl.fyi:29418";
|
2020-06-13 07:02:19 +02:00
|
|
|
hooks.path = "${gerritHooks}";
|
2020-06-16 19:28:36 +02:00
|
|
|
cache.web_sessions.maxAge = "3 months";
|
2020-07-25 22:18:10 +02:00
|
|
|
plugins.allowRemoteAdmin = false;
|
|
|
|
change.enableAttentionSet = true;
|
|
|
|
change.enableAssignee = false;
|
2020-06-11 00:40:34 +02:00
|
|
|
|
|
|
|
# Configures gerrit for being reverse-proxied by nginx as per
|
|
|
|
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
|
2020-07-11 02:13:03 +02:00
|
|
|
gerrit = {
|
|
|
|
canonicalWebUrl = "https://cl.tvl.fyi";
|
|
|
|
docUrl = "/Documentation";
|
|
|
|
};
|
|
|
|
|
2020-06-11 00:40:34 +02:00
|
|
|
httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
|
2020-06-08 02:35:45 +02:00
|
|
|
|
2020-06-13 04:32:46 +02:00
|
|
|
download.command = [
|
|
|
|
"checkout"
|
|
|
|
"cherry_pick"
|
|
|
|
"format_patch"
|
|
|
|
"pull"
|
|
|
|
];
|
|
|
|
|
2021-03-31 23:21:29 +02:00
|
|
|
# Configure for cgit.
|
2020-06-11 23:49:37 +02:00
|
|
|
gitweb = {
|
|
|
|
type = "custom";
|
2021-03-31 23:21:29 +02:00
|
|
|
url = "https://code.tvl.fyi";
|
|
|
|
project = "/";
|
|
|
|
revision = "/commit/?id=\${commit}";
|
|
|
|
branch = "/log/?h=\${branch}";
|
|
|
|
tag = "/tag/?h=\${tag}";
|
|
|
|
roottree = "/tree/?h=\${commit}";
|
|
|
|
file = "/tree/\${file}?h=\${commit}";
|
|
|
|
filehistory = "/log/\${file}?h=\${branch}";
|
|
|
|
linkname = "cgit";
|
2020-06-11 23:49:37 +02:00
|
|
|
};
|
|
|
|
|
2020-08-30 18:25:45 +02:00
|
|
|
# Auto-link panettone bug links
|
|
|
|
commentlink.panettone = {
|
2023-11-05 10:46:03 +01:00
|
|
|
match = "b/(\\d+)";
|
|
|
|
link = "https://b.tvl.fyi/issues/$1";
|
2020-08-30 18:25:45 +02:00
|
|
|
};
|
|
|
|
|
2021-04-10 17:25:10 +02:00
|
|
|
# Auto-link other CLs
|
|
|
|
commentlink.gerrit = {
|
2023-11-05 10:46:03 +01:00
|
|
|
match = "cl/(\\d+)";
|
|
|
|
link = "https://cl.tvl.fyi/$1";
|
2021-04-10 17:25:10 +02:00
|
|
|
};
|
|
|
|
|
2021-12-25 22:46:48 +01:00
|
|
|
# Configures integration with Keycloak, which then integrates with a
|
|
|
|
# variety of backends.
|
2021-04-03 17:54:42 +02:00
|
|
|
auth.type = "OAUTH";
|
2021-12-25 22:46:48 +01:00
|
|
|
plugin.gerrit-oauth-provider-keycloak-oauth = {
|
2024-02-15 12:44:32 +01:00
|
|
|
root-url = "https://auth.tvl.fyi/auth";
|
2021-12-25 22:46:48 +01:00
|
|
|
realm = "TVL";
|
|
|
|
client-id = "gerrit";
|
2021-04-03 17:54:42 +02:00
|
|
|
# client-secret is set in /var/lib/gerrit/etc/secure.config.
|
2020-06-08 02:35:45 +02:00
|
|
|
};
|
2020-06-13 00:19:34 +02:00
|
|
|
|
2022-09-19 07:36:40 +02:00
|
|
|
plugin.code-owners = {
|
|
|
|
# A Code-Review +2 vote is required from a code owner.
|
|
|
|
requiredApproval = "Code-Review+2";
|
|
|
|
# The OWNERS check can be overriden using an Owners-Override vote.
|
|
|
|
overrideApproval = "Owners-Override+1";
|
|
|
|
# People implicitly approve their own changes automatically.
|
|
|
|
enableImplicitApprovals = "TRUE";
|
|
|
|
};
|
|
|
|
|
2021-08-15 11:56:32 +02:00
|
|
|
# Allow users to add additional email addresses to their accounts.
|
|
|
|
oauth.allowRegisterNewEmail = true;
|
|
|
|
|
2021-04-03 17:54:42 +02:00
|
|
|
# Use Gerrit's built-in HTTP passwords, rather than trying to use the
|
|
|
|
# password against the backing OAuth provider.
|
|
|
|
auth.gitBasicAuthPolicy = "HTTP";
|
|
|
|
|
2020-06-13 00:19:34 +02:00
|
|
|
# Email sending (emails are relayed via the tazj.in domain's
|
|
|
|
# GSuite currently).
|
|
|
|
#
|
|
|
|
# Note that sendemail.smtpPass is stored in
|
|
|
|
# $site_path/etc/secure.config and is *not* controlled by Nix.
|
|
|
|
#
|
|
|
|
# Receiving email is not currently supported.
|
|
|
|
sendemail = {
|
|
|
|
enable = true;
|
|
|
|
html = false;
|
2020-06-13 03:21:40 +02:00
|
|
|
connectTimeout = "10sec";
|
2020-06-13 00:19:34 +02:00
|
|
|
from = "TVL Code Review <tvlbot@tazj.in>";
|
|
|
|
includeDiff = true;
|
2020-06-13 03:21:40 +02:00
|
|
|
smtpEncryption = "none";
|
|
|
|
smtpServer = "localhost";
|
|
|
|
smtpServerPort = 2525;
|
2020-06-13 00:19:34 +02:00
|
|
|
};
|
2020-06-07 20:30:52 +02:00
|
|
|
};
|
2022-07-03 14:28:51 +02:00
|
|
|
|
|
|
|
# Replication of the depot repository to secondary machines, for
|
|
|
|
# serving cgit/josh.
|
|
|
|
replicationSettings = {
|
|
|
|
gerrit.replicateOnStartup = true;
|
|
|
|
|
|
|
|
remote.sanduny = {
|
|
|
|
url = "depot@sanduny.tvl.su:/var/lib/depot";
|
|
|
|
projects = "depot";
|
|
|
|
};
|
|
|
|
};
|
2020-06-07 20:30:52 +02:00
|
|
|
};
|
2020-06-11 23:47:41 +02:00
|
|
|
|
|
|
|
systemd.services.gerrit = {
|
|
|
|
serviceConfig = {
|
|
|
|
# There seems to be no easy way to get `DynamicUser` to play
|
|
|
|
# well with other services (e.g. by using SupplementaryGroups,
|
|
|
|
# which seem to have no effect) so we force the DynamicUser
|
|
|
|
# setting for the Gerrit service to be disabled and reuse the
|
|
|
|
# existing 'git' user.
|
|
|
|
DynamicUser = lib.mkForce false;
|
|
|
|
User = "git";
|
|
|
|
Group = "git";
|
|
|
|
};
|
|
|
|
};
|
2021-09-18 16:44:40 +02:00
|
|
|
|
|
|
|
services.depot.restic = {
|
|
|
|
paths = [ "/var/lib/gerrit" ];
|
|
|
|
exclude = [ "/var/lib/gerrit/tmp" ];
|
|
|
|
};
|
2020-06-07 20:30:52 +02:00
|
|
|
}
|