mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/ops/nixos/monorepo-gerrit.nix
Vincent Ambo 3b05be2fd0 feat(monorepo-gerrit): Use Sourcegraph as the gitweb for Gerrit 
This points commit/file/etc. links from Gerrit to Sourcegraph instead
of cgit.

There's a minor problem with this: Some, but not all unsubmitted CLs
are missing in Sourcegraph for unclear reasons so they lead to 404s.

That problem is unrelated to this change and something we need to
investigate separately.

Change-Id: I9b0c1eca8781dc96984ba09b4a71960eb43583bd
Reviewed-on: https://cl.tvl.fyi/c/depot/+/541
Reviewed-by: lukegb <lukegb@tvl.fyi>
2020-06-20 17:29:50 +00:00

107 lines
3.2 KiB
Nix
Raw Blame History

# Gerrit configuration for the TVL monorepo
{ pkgs, config, lib, ... }:
let
cfg = config.services.gerrit;
gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" {} ''
mkdir -p $out
ln -s ${config.depot.ops.besadii}/bin/besadii $out/ref-updated
'';
in {
services.gerrit = {
enable = true;
listenAddress = "[::]:4778"; # 4778 - grrt
serverId = "4fdfa107-4df9-4596-8e0a-1d2bbdd96e36";
builtinPlugins = [
"download-commands"
"hooks"
];
plugins = with config.depot.third_party.gerrit_plugins; [
owners
];
package = config.depot.third_party.gerrit;
settings = {
core.packedGitLimit = "100m";
log.jsonLogging = true;
log.textLogging = false;
sshd.advertisedAddress = "code.tvl.fyi:29418";
hooks.path = "${gerritHooks}";
cache.web_sessions.maxAge = "3 months";
# Configures gerrit for being reverse-proxied by nginx as per
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
gerrit.canonicalWebUrl = "https://cl.tvl.fyi";
httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
download.command = [
"checkout"
"cherry_pick"
"format_patch"
"pull"
];
# Configure for Sourcegraph.
gitweb = {
type = "custom";
url = "https://cs.tvl.fyi";
linkname = "Sourcegraph";
project = "/depot";
revision = "/depot/-/commit/\${commit}";
branch = "/depot@\${branch}";
tag = "/depot@\${tag}";
roottree = "/depot@\${commit}";
file = "/depot@\${commit}/-/blob/\${file}";
filehistory = "/depot@\${commit}/-/blob/\${file}#&tab=history";
};
# Configures integration with the locally running OpenLDAP
auth.type = "LDAP";
ldap = {
server = "ldap://localhost";
accountBase = "ou=users,dc=tvl,dc=fyi";
accountPattern = "(&(objectClass=organizationalPerson)(cn=\${username}))";
accountFullName = "displayName";
accountEmailAddress = "mail";
accountSshUserName = "cn";
groupBase = "ou=groups,dc=tvl,dc=fyi";
# TODO(tazjin): Assuming this is what we'll be doing ...
groupMemberPattern = "(&(objectClass=group)(member=\${dn}))";
};
# Email sending (emails are relayed via the tazj.in domain's
# GSuite currently).
#
# Note that sendemail.smtpPass is stored in
# $site_path/etc/secure.config and is *not* controlled by Nix.
#
# Receiving email is not currently supported.
sendemail = {
enable = true;
html = false;
connectTimeout = "10sec";
from = "TVL Code Review <tvlbot@tazj.in>";
includeDiff = true;
smtpEncryption = "none";
smtpServer = "localhost";
smtpServerPort = 2525;
};
};
};
systemd.services.gerrit = {
serviceConfig = {
# There seems to be no easy way to get `DynamicUser` to play
# well with other services (e.g. by using SupplementaryGroups,
# which seem to have no effect) so we force the DynamicUser
# setting for the Gerrit service to be disabled and reuse the
# existing 'git' user.
DynamicUser = lib.mkForce false;
User = "git";
Group = "git";
};
};
}
Reference in a new issue View git blame Copy permalink