commit bcb46d30ee425ed9a54d67a8318fdfe2976578c5
author Skyler Grey <minion@clicks.codes> Fri Nov 10 20:48:38 2023 +0000
committer Skyler Grey <minion@clicks.codes> Sat Nov 11 17:30:00 2023 +0000
tree 17ffb946025e85189ce3ac139028e533ea6d3311
parent 0b140a808b303b7f2a4bed8393eb3893496a03eb

nix flake update

- this includes helpers change Ie1b0edbbb126c6cd6dcd8f0b4fd0cc829ee2b00c
- this updates nixpkgs. Likely this will be the final update before 23.11
- this fixes issues encountered while updating. These were
  - missing URL for richdocumentscode
  - replace fragile gerrit oauth plugin bazel build with prebuild jar
  - remove mongodb, as it is broken
  - remove references to "nobody" group. For sops secrets, replace these with
    "root"

Change-Id: I997f6067ea58b5996c6a386e6f4bf376fc458421

modules/gerrit.nix

diff --git a/modules/gerrit.nix b/modules/gerrit.nix
index 6c0749c..36bc1cd 100644
--- a/modules/gerrit.nix
+++ b/modules/gerrit.nix
@@ -112,40 +112,9 @@
     };
 
     plugins = [
-      (derivation {
-        name =
-          "oauth.jar"; # HACK: wrapping a derivation in a derivation to rename it seems like a bad hack... but bazel would not build if I didn't (I think because it didn't like the .jar extension...) check why though?
-        src = (pkgs.buildBazelPackage {
-          __noChroot = true; # FIXME: terrible, horrible, no good, very bad
-          # name = "gerrit-oauth-provider.jar";
-          pname = "gerrit-oauth-provider.jar";
-          version = "unstable-2023-10-08";
-          src = pkgs.fetchgit {
-            url = "https://gerrit.googlesource.com/plugins/oauth";
-            rev = "1b3cc407cb2571d08601ab852e6e01f82d27160f";
-            hash = "sha256-yC/8qnkDbfIujl+Cvamr+EQSwto1DcIUWXh5cwDEZHo=";
-            deepClone =
-              true; # FIXME: this bazel build uses some git stuff, maybe we should try replacing with fakegit?
-          };
-          bazelTargets = [ "oauth" ];
-          bazel = pkgs.bazel_4;
-          buildAttrs = { };
-          fetchAttrs.sha256 =
-            "sha256-i5wOTn2NqqgJf4TCIqaCucpXu+5Vm5C84UPrGYFMSzc=";
-
-          postUnpack = ''
-            echo "4.2.2" > */.bazelversion  # nixpkgs only has certain bazel versions, so let's upgrade the patch of this one
-          '';
-
-          buildInputs = with pkgs; [ git curl jdk11 ];
-
-          postInstall = ''
-            cp bazel-bin/oauth.jar $out
-          '';
-        });
-        builder = "/bin/sh";
-        args = [ "-c" "${pkgs.coreutils}/bin/cp $src $out" ];
-        inherit system;
+      (pkgs.fetchurl {
+        url = "https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-master/55/artifact/bazel-bin/plugins/oauth/oauth.jar";
+        hash = "sha256-Qil1CIh/+XC15rKfW0iYR9u370eF2TXnCNSmQfr+7/8=";
       })
     ];
     builtinPlugins = [
@@ -164,21 +133,18 @@
     listenAddress = "127.0.0.255:1000";
   };
 
-  nix.settings.sandbox =
-    "relaxed"; # FIXME: terrible, horrible, no good, very bad, here to support buildBazelPackage's use of cURL
-
   sops.secrets = {
     gerrit_email_private_key = {
       mode = "0400";
       owner = config.users.users.root.name;
-      group = config.users.users.nobody.group;
+      group = config.users.users.root.group;
       sopsFile = ../secrets/gerrit.json;
       format = "json";
     };
     gerrit_oauth_client_secret = {
       mode = "0400";
       owner = config.users.users.root.name;
-      group = config.users.users.nobody.group;
+      group = config.users.users.root.group;
       sopsFile = ../secrets/gerrit.json;
       format = "json";
     };
@@ -195,7 +161,7 @@
         config.sops.secrets.gerrit_email_private_key.path;
       matchers."gerrit_oauth_client_secret".secret =
         config.sops.secrets.gerrit_oauth_client_secret.path;
-      owner = config.users.users.nobody.name;
+      owner = config.users.users.root.name;
       group = "gerrit";
       mode = "0040";
     };