feat(monorepo-gerrit): use CAS for authentication

This drops the old LDAP configuration and uses CAS instead. All hail the
hypnotoad.

Change-Id: I515a213f09073bb52bfb75afe2988b935a076087
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2783
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>

ops/nixos/monorepo-gerrit.nix

@@ -20,6 +20,7 @@ in {
     plugins = with depot.third_party.gerrit_plugins; [
       checks
       owners
+      oauth
     ];
 
     package = depot.third_party.gerrit;
@@ -73,21 +74,19 @@ in {
         html = "<a href=\"https://b.tvl.fyi/issues/$1\">b/$1</a>";
       };
 
-      # Configures integration with the locally running OpenLDAP
+      # Configures integration with CAS, which then integrates with a variety
-      auth.type = "LDAP";
+      # of backends.
-      ldap = {
+      auth.type = "OAUTH";
-        server = "ldap://localhost";
+      plugin.gerrit-oauth-provider-cas-oauth = {
-        accountBase = "ou=users,dc=tvl,dc=fyi";
+        root-url = "https://login.tvl.fyi";
-        accountPattern = "(&(objectClass=organizationalPerson)(cn=\${username}))";
+        client-id = "OAUTH-TVL-gerrit-Fv0d8Aizz5";
-        accountFullName = "displayName";
+        # client-secret is set in /var/lib/gerrit/etc/secure.config.
-        accountEmailAddress = "mail";
-        accountSshUserName = "cn";
-        groupBase = "ou=groups,dc=tvl,dc=fyi";
-
-        # TODO(tazjin): Assuming this is what we'll be doing ...
-        groupMemberPattern = "(&(objectClass=group)(member=\${dn}))";
       };
 
+      # Use Gerrit's built-in HTTP passwords, rather than trying to use the
+      # password against the backing OAuth provider.
+      auth.gitBasicAuthPolicy = "HTTP";
+
       # Email sending (emails are relayed via the tazj.in domain's
       # GSuite currently).
       #