diff --git a/ops/machines/sanduny/default.nix b/ops/machines/sanduny/default.nix index 4767f6a7b..23d77e947 100644 --- a/ops/machines/sanduny/default.nix +++ b/ops/machines/sanduny/default.nix @@ -14,6 +14,7 @@ let in { imports = [ + (mod "depot-replica.nix") (mod "journaldriver.nix") (mod "known-hosts.nix") (mod "tvl-cache.nix") @@ -76,6 +77,9 @@ in preserveGenerations = "90d"; }; + # Allow Gerrit to replicate depot to /var/lib/depot + services.depot.replica.enable = true; + time.timeZone = "UTC"; # GRUB does not actually need to be installed on disk; Bitfolk have diff --git a/ops/modules/depot-replica.nix b/ops/modules/depot-replica.nix new file mode 100644 index 000000000..f5f02a18a --- /dev/null +++ b/ops/modules/depot-replica.nix @@ -0,0 +1,45 @@ +# Configuration for receiving a depot replica from Gerrit's +# replication plugin. +# +# This only prepares the user and folder for receiving the replica, +# but Gerrit configuration still needs to be modified in addition. +{ config, depot, lib, pkgs, ... }: + +let + cfg = config.services.depot.replica; +in +{ + options.services.depot.replica = with lib; { + enable = mkEnableOption "Receive depot git replica from Gerrit"; + + key = mkOption { + description = "Public key to use for replication"; + type = types.str; + default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFab9O1xaQ1TCyn+CxmXHexdlLzURREG+UR3Qdi3BvH"; + }; + + path = mkOption { + description = "Replication destination path (will be created)"; + type = types.str; + default = "/var/lib/depot"; + }; + }; + + config = lib.mkIf cfg.enable { + users.groups.depot = { }; + + users.users.depot = { + group = "depot"; + isSystemUser = true; + createHome = true; + home = cfg.path; + homeMode = "750"; # group can read depot + openssh.authorizedKeys.keys = lib.singleton cfg.key; + shell = pkgs.bashInteractive; # gerrit needs to run shell commands + }; + + environment.systemPackages = [ + pkgs.git + ]; + }; +}