feat(whitby): Enable Gerrit & cgit deployments

Change-Id: Ic701552e130252cfff005938d9c4e98423a7a96a Reviewed-on: https://cl.tvl.fyi/c/depot/+/1069 Reviewed-by: lukegb <lukegb@tvl.fyi> Tested-by: BuildkiteCI
2020-07-12 14:02:50 +01:00 · 2020-07-12 14:02:50 +01:00 · 405b7ec95b
commit 405b7ec95b
parent d76f1eb10b
3 changed files with 67 additions and 1 deletions
--- a/ops/nixos/whitby/default.nix
+++ b/ops/nixos/whitby/default.nix
@ -17,13 +17,17 @@ in {
  imports = [
    "${depot.depotPath}/ops/nixos/clbot.nix"
    "${depot.depotPath}/ops/nixos/depot.nix"
+    "${depot.depotPath}/ops/nixos/monorepo-gerrit.nix"
    "${depot.depotPath}/ops/nixos/smtprelay.nix"
    "${depot.depotPath}/ops/nixos/sourcegraph.nix"
    "${depot.depotPath}/ops/nixos/tvl-slapd/default.nix"
    "${depot.depotPath}/ops/nixos/tvl-sso/default.nix"
+    "${depot.depotPath}/ops/nixos/www/cl.tvl.fyi.nix"
+    "${depot.depotPath}/ops/nixos/www/code.tvl.fyi.nix"
    "${depot.depotPath}/ops/nixos/www/cs.tvl.fyi.nix"
    "${depot.depotPath}/ops/nixos/www/login.tvl.fyi.nix"
    "${depot.depotPath}/ops/nixos/www/tvl.fyi.nix"
+    "${depot.third_party.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
  ];

  hardware = {
@ -110,7 +114,7 @@ in {
      interface = "enp196s0";
    };

-    firewall.allowedTCPPorts = [ 22 80 443 4238 ];
+    firewall.allowedTCPPorts = [ 22 80 443 4238 29418 ];

    interfaces.enp196s0.useDHCP = true;
    interfaces.enp196s0.ipv6.addresses = [
@ -204,6 +208,18 @@ in {
    zfstools
  ];

+  # Run cgit for the depot. The onion here is nginx(thttpd(cgit)).
+  systemd.services.cgit = {
+    wantedBy = [ "multi-user.target" ];
+    script = "${depot.web.cgit-taz}/bin/cgit-launch";
+
+    serviceConfig = {
+      Restart = "on-failure";
+      User = "git";
+      Group = "git";
+    };
+  };
+
  security.sudo.extraRules = [
    {
      groups = ["wheel"];
--- a/ops/nixos/www/cl.tvl.fyi.nix
+++ b/ops/nixos/www/cl.tvl.fyi.nix
@ -0,0 +1,23 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./base.nix
+  ];
+
+  config = {
+    services.nginx.virtualHosts.gerrit = {
+      serverName = "cl.tvl.fyi";
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        location / {
+          proxy_pass http://localhost:4778;
+          proxy_set_header  X-Forwarded-For $remote_addr;
+          proxy_set_header  Host $host;
+        }
+      '';
+    };
+  };
+}
--- a/ops/nixos/www/code.tvl.fyi.nix
+++ b/ops/nixos/www/code.tvl.fyi.nix
@ -0,0 +1,27 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./base.nix
+  ];
+
+  config = {
+    services.nginx.virtualHosts.cgit = {
+      serverName = "code.tvl.fyi";
+      enableACME = true;
+      forceSSL = true;
+
+      extraConfig = ''
+        # Static assets must always hit the root.
+        location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
+           proxy_pass http://localhost:2448;
+        }
+
+        # Everything else hits the depot directly.
+        location / {
+            proxy_pass http://localhost:2448/cgit.cgi/depot/;
+        }
+      '';
+    };
+  };
+}