Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 8006dab7fe6f1ba9a4db7187b794f76e9f54660b / . / modules / gerrit.nix
blob: 6c0749ca068dc26c11f9e69725c92717a8744e6a [file] [log] [blame]
{ pkgs, config, lib, base, system, ... }:
let cfg = config.services.gerrit;
in lib.recursiveUpdate {
sops.secrets.clicks_gerrit_db_password = {
mode = lib.mkForce "0440";
group = lib.mkForce "gerrit";
};
users.users.gerrit = {
isSystemUser = true;
createHome = true;
home = "/var/lib/gerrit";
group = config.users.groups.gerrit.name;
shell = pkgs.bashInteractive;
};
users.groups.gerrit = { };
systemd.services.gerrit.serviceConfig.User = "gerrit";
systemd.services.gerrit.serviceConfig.Group = "gerrit";
systemd.services.gerrit.serviceConfig.DynamicUser = lib.mkForce false;
services.gerrit = {
enable = true;
/* jvmOpts = [
"-Djava.class.path=${pkgs.postgresql_jdbc}/share/java"
];
*/
settings = {
# accountPatchReviewDb.url = "postgresql://localhost:${toString config.services.postgresql.port}/gerrit?user=gerrit&password=!!gerrit_database_password!!";
accounts = {
visibility = "SAME_GROUP";
defaultDisplayName = "USERNAME";
};
addReviewer = {
maxWithoutConfirmation = 3;
maxAllowed = 10;
};
auth = {
type = "OAUTH";
registerEmailPrivateKey = "!!gerrit_email_private_key!!";
userNameCaseInsensitive = true;
gitBasicAuthPolicy = "HTTP";
};
plugin."gerrit-oauth-provider-keycloak-oauth" = {
root-url = "https://login.clicks.codes";
realm = "clicks";
client-id = "git";
client-secret = "!!gerrit_oauth_client_secret!!";
use-preferred-username = true;
};
change = {
topicLimit = 0;
mergeabilityComputationBehavior = "API_REF_UPDATED_AND_CHANGE_REINDEX";
sendNewPatchsetEmails = false;
showAssigneeInChangesTable = true;
submitWholeTopic = true;
diff3ConflictView = true;
};
changeCleanup = {
abandonAfter = "3 weeks";
abandonMessage =
"This change was abandoned due to 3 weeks of inactivity. If you still want it, please restore it";
startTime = "00:00";
interval = "1 day";
};
attentionSet = {
readdAfter = "1 week";
readdMessage =
"I've given the owner a *ping* as nothing has happened for a week. If in two weeks time the change is still inactive, I'll abandon it for you. If you still want it, please do something before then";
startTime = "00:00";
interval = "1 day";
};
commentlink.gerrit = {
match = "(I[0-9a-f]{8,40})";
link = "/q/$1";
};
gc = {
aggressive = true;
startTime = "Sun 00:00";
interval = "1 week";
};
gerrit = {
basePath = "/var/lib/gerrit/repos";
defaultBranch = "refs/heads/main";
canonicalWebUrl = "https://git.clicks.codes/";
canonicalGitUrl = "ssh://ssh.clicks.codes/";
gitHttpUrl = "https://git.clicks.codes/";
reportBugUrl =
"https://discord.gg/bPaNnxe"; # TODO: kinda obnoxious, better to setup bugzilla/similar
enablePeerIPInReflogRecord = true;
instanceId = "a1d1";
instanceName = "a1d1.clicks";
};
mimetype = lib.pipe [ "image/*" "video/*" "application/pdf" ] [
(map (name: {
inherit name;
value.safe = true;
}))
builtins.listToAttrs
];
receive.enableSignedPush = true;
sendemail.enable = false; # TODO: add credentials to git@clicks.codes
sshd.advertisedAddress = "ssh.clicks.codes:29418";
user = {
name = "Clicks Gerrit";
email = "git@clicks.codes";
anonymousCoward = "Anonymous";
};
httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
};
plugins = [
(derivation {
name =
"oauth.jar"; # HACK: wrapping a derivation in a derivation to rename it seems like a bad hack... but bazel would not build if I didn't (I think because it didn't like the .jar extension...) check why though?
src = (pkgs.buildBazelPackage {
__noChroot = true; # FIXME: terrible, horrible, no good, very bad
# name = "gerrit-oauth-provider.jar";
pname = "gerrit-oauth-provider.jar";
version = "unstable-2023-10-08";
src = pkgs.fetchgit {
url = "https://gerrit.googlesource.com/plugins/oauth";
rev = "1b3cc407cb2571d08601ab852e6e01f82d27160f";
hash = "sha256-yC/8qnkDbfIujl+Cvamr+EQSwto1DcIUWXh5cwDEZHo=";
deepClone =
true; # FIXME: this bazel build uses some git stuff, maybe we should try replacing with fakegit?
};
bazelTargets = [ "oauth" ];
bazel = pkgs.bazel_4;
buildAttrs = { };
fetchAttrs.sha256 =
"sha256-i5wOTn2NqqgJf4TCIqaCucpXu+5Vm5C84UPrGYFMSzc=";
postUnpack = ''
echo "4.2.2" > */.bazelversion # nixpkgs only has certain bazel versions, so let's upgrade the patch of this one
'';
buildInputs = with pkgs; [ git curl jdk11 ];
postInstall = ''
cp bazel-bin/oauth.jar $out
'';
});
builder = "/bin/sh";
args = [ "-c" "${pkgs.coreutils}/bin/cp $src $out" ];
inherit system;
})
];
builtinPlugins = [
"codemirror-editor"
"commit-message-length-validator"
"delete-project"
"download-commands"
"gitiles"
"hooks"
"reviewnotes"
"singleusergroup"
"webhooks"
];
serverId = "45f277d0-fce7-43b7-9eb3-2e3234e0110f";
listenAddress = "127.0.0.255:1000";
};
nix.settings.sandbox =
"relaxed"; # FIXME: terrible, horrible, no good, very bad, here to support buildBazelPackage's use of cURL
sops.secrets = {
gerrit_email_private_key = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.nobody.group;
sopsFile = ../secrets/gerrit.json;
format = "json";
};
gerrit_oauth_client_secret = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.nobody.group;
sopsFile = ../secrets/gerrit.json;
format = "json";
};
};
} (let isDerived = base != null;
in if isDerived then
let
gerrit_cfgfile =
pkgs.writeText "gerrit.conf" (lib.generators.toGitINI cfg.settings);
in {
scalpel.trafos."gerrit.conf" = {
source = toString gerrit_cfgfile;
matchers."gerrit_email_private_key".secret =
config.sops.secrets.gerrit_email_private_key.path;
matchers."gerrit_oauth_client_secret".secret =
config.sops.secrets.gerrit_oauth_client_secret.path;
owner = config.users.users.nobody.name;
group = "gerrit";
mode = "0040";
};
systemd.services.gerrit.preStart =
base.config.systemd.services.gerrit.preStart + ''
rm etc/gerrit.config
ln -sfv ${
config.scalpel.trafos."gerrit.conf".destination
} etc/gerrit.config
'';
}
else
{ })