| Skyler Grey | 08758a6 | 2023-10-09 07:35:09 +0000 | [diff] [blame] | 1 | { pkgs, config, lib, base, system, ... }: let |
| 2 | cfg = config.services.gerrit; |
| 3 | in lib.recursiveUpdate |
| 4 | { |
| 5 | sops.secrets.clicks_gerrit_db_password = { |
| 6 | mode = lib.mkForce "0440"; |
| 7 | group = lib.mkForce "gerrit"; |
| 8 | }; |
| 9 | |
| 10 | users.users.gerrit = { |
| 11 | isSystemUser = true; |
| 12 | createHome = true; |
| 13 | home = "/var/lib/gerrit"; |
| 14 | group = config.users.groups.gerrit.name; |
| 15 | shell = pkgs.bashInteractive; |
| 16 | }; |
| 17 | users.groups.gerrit = {}; |
| 18 | |
| 19 | systemd.services.gerrit.serviceConfig.User = "gerrit"; |
| 20 | systemd.services.gerrit.serviceConfig.Group = "gerrit"; |
| 21 | systemd.services.gerrit.serviceConfig.DynamicUser = lib.mkForce false; |
| 22 | |
| 23 | services.gerrit = { |
| 24 | enable = true; |
| 25 | |
| 26 | /* jvmOpts = [ |
| 27 | "-Djava.class.path=${pkgs.postgresql_jdbc}/share/java" |
| 28 | ]; */ |
| 29 | |
| 30 | settings = { |
| 31 | # accountPatchReviewDb.url = "postgresql://localhost:${toString config.services.postgresql.port}/gerrit?user=gerrit&password=!!gerrit_database_password!!"; |
| 32 | accounts = { |
| 33 | visibility = "SAME_GROUP"; |
| 34 | defaultDisplayName = "USERNAME"; |
| 35 | }; |
| 36 | addReviewer = { |
| 37 | maxWithoutConfirmation = 3; |
| 38 | maxAllowed = 10; |
| 39 | }; |
| 40 | auth = { |
| 41 | type = "OAUTH"; |
| 42 | registerEmailPrivateKey = "!!gerrit_email_private_key!!"; |
| 43 | userNameCaseInsensitive = true; |
| 44 | gitBasicAuthPolicy = "HTTP"; |
| 45 | }; |
| 46 | plugin."gerrit-oauth-provider-keycloak-oauth" = { |
| 47 | root-url = "https://login.clicks.codes"; |
| 48 | realm = "clicks"; |
| 49 | client-id = "git"; |
| 50 | client-secret = "!!gerrit_oauth_client_secret!!"; |
| 51 | use-preferred-username = true; |
| 52 | }; |
| 53 | change = { |
| 54 | topicLimit = 0; |
| 55 | mergeabilityComputationBehavior = "API_REF_UPDATED_AND_CHANGE_REINDEX"; |
| 56 | sendNewPatchsetEmails = false; |
| 57 | showAssigneeInChangesTable = true; |
| 58 | submitWholeTopic = true; |
| 59 | diff3ConflictView = true; |
| 60 | }; |
| 61 | changeCleanup = { |
| 62 | abandonAfter = "3 weeks"; |
| 63 | abandonMessage = "This change was abandoned due to 3 weeks of inactivity. If you still want it, please restore it"; |
| 64 | startTime = "00:00"; |
| 65 | interval = "1 day"; |
| 66 | }; |
| 67 | attentionSet = { |
| 68 | readdAfter = "1 week"; |
| 69 | readdMessage = "I've given the owner a *ping* as nothing has happened for a week. If in two weeks time the change is still inactive, I'll abandon it for you. If you still want it, please do something before then"; |
| 70 | startTime = "00:00"; |
| 71 | interval = "1 day"; |
| 72 | }; |
| 73 | commentlink.gerrit = { |
| 74 | match = "(I[0-9a-f]{8,40})"; |
| 75 | link = "/q/$1"; |
| 76 | }; |
| 77 | gc = { |
| 78 | aggressive = true; |
| 79 | startTime = "Sun 00:00"; |
| 80 | interval = "1 week"; |
| 81 | }; |
| 82 | gerrit = { |
| 83 | basePath = "/var/lib/gerrit/repos"; |
| 84 | defaultBranch = "refs/heads/main"; |
| 85 | canonicalWebUrl = "https://git.clicks.codes/"; |
| 86 | canonicalGitUrl = "ssh://ssh.clicks.codes/"; |
| 87 | gitHttpUrl = "https://git.clicks.codes/"; |
| 88 | reportBugUrl = "https://discord.gg/bPaNnxe"; # TODO: kinda obnoxious, better to setup bugzilla/similar |
| 89 | enablePeerIPInReflogRecord = true; |
| 90 | instanceId = "a1d1"; |
| 91 | instanceName = "a1d1.clicks"; |
| 92 | }; |
| 93 | mimetype = lib.pipe [ "image/*" "video/*" "application/pdf" ] [ |
| 94 | (map (name: { inherit name; value.safe = true; })) |
| 95 | builtins.listToAttrs |
| 96 | ]; |
| 97 | receive.enableSignedPush = true; |
| 98 | sendemail.enable = false; # TODO: add credentials to git@clicks.codes |
| 99 | sshd.advertisedAddress = "ssh.clicks.codes:29418"; |
| 100 | user = { |
| 101 | name = "Clicks Gerrit"; |
| 102 | email = "git@clicks.codes"; |
| 103 | anonymousCoward = "Anonymous"; |
| 104 | }; |
| 105 | httpd.listenUrl = "proxy-https://${cfg.listenAddress}"; |
| 106 | }; |
| 107 | |
| 108 | plugins = [ ( |
| 109 | derivation { |
| 110 | name = "oauth.jar"; # HACK: wrapping a derivation in a derivation to rename it seems like a bad hack... but bazel would not build if I didn't (I think because it didn't like the .jar extension...) check why though? |
| 111 | src = ( |
| 112 | pkgs.buildBazelPackage { |
| 113 | __noChroot = true; # FIXME: terrible, horrible, no good, very bad |
| 114 | # name = "gerrit-oauth-provider.jar"; |
| 115 | pname = "gerrit-oauth-provider.jar"; |
| 116 | version = "unstable-2023-10-08"; |
| 117 | src = pkgs.fetchgit { |
| 118 | url = "https://gerrit.googlesource.com/plugins/oauth"; |
| 119 | rev = "1b3cc407cb2571d08601ab852e6e01f82d27160f"; |
| 120 | hash = "sha256-yC/8qnkDbfIujl+Cvamr+EQSwto1DcIUWXh5cwDEZHo="; |
| 121 | deepClone = true; # FIXME: this bazel build uses some git stuff, maybe we should try replacing with fakegit? |
| 122 | }; |
| 123 | bazelTargets = [ "oauth" ]; |
| 124 | bazel = pkgs.bazel_4; |
| 125 | buildAttrs = {}; |
| 126 | fetchAttrs.sha256 = "sha256-i5wOTn2NqqgJf4TCIqaCucpXu+5Vm5C84UPrGYFMSzc="; |
| 127 | |
| 128 | postUnpack = '' |
| 129 | echo "4.2.2" > */.bazelversion # nixpkgs only has certain bazel versions, so let's upgrade the patch of this one |
| 130 | ''; |
| 131 | |
| 132 | buildInputs = with pkgs; [ |
| 133 | git |
| 134 | curl |
| 135 | jdk11 |
| 136 | ]; |
| 137 | |
| 138 | postInstall = '' |
| 139 | cp bazel-bin/oauth.jar $out |
| 140 | ''; |
| 141 | } |
| 142 | ); |
| 143 | builder = "/bin/sh"; |
| 144 | args = [ "-c" "${pkgs.coreutils}/bin/cp $src $out" ]; |
| 145 | inherit system; |
| 146 | } |
| 147 | ) ]; |
| 148 | builtinPlugins = [ "codemirror-editor" "commit-message-length-validator" "delete-project" "download-commands" "gitiles" "hooks" "reviewnotes" "singleusergroup" "webhooks" ]; |
| 149 | serverId = "45f277d0-fce7-43b7-9eb3-2e3234e0110f"; |
| 150 | |
| 151 | listenAddress = "127.0.0.255:1000"; |
| 152 | }; |
| 153 | |
| 154 | nix.settings.sandbox = "relaxed"; # FIXME: terrible, horrible, no good, very bad, here to support buildBazelPackage's use of cURL |
| 155 | |
| 156 | sops.secrets = { |
| 157 | gerrit_email_private_key = { |
| 158 | mode = "0400"; |
| 159 | owner = config.users.users.root.name; |
| 160 | group = config.users.users.nobody.group; |
| 161 | sopsFile = ../secrets/gerrit.json; |
| 162 | format = "json"; |
| 163 | }; |
| 164 | gerrit_oauth_client_secret = { |
| 165 | mode = "0400"; |
| 166 | owner = config.users.users.root.name; |
| 167 | group = config.users.users.nobody.group; |
| 168 | sopsFile = ../secrets/gerrit.json; |
| 169 | format = "json"; |
| 170 | }; |
| 171 | }; |
| 172 | } |
| 173 | ( |
| 174 | let |
| 175 | isDerived = base != null; |
| 176 | in |
| 177 | if isDerived |
| 178 | then |
| 179 | let |
| 180 | gerrit_cfgfile = pkgs.writeText "gerrit.conf" ( |
| 181 | lib.generators.toGitINI cfg.settings |
| 182 | ); |
| 183 | in |
| 184 | { |
| 185 | scalpel.trafos."gerrit.conf" = { |
| 186 | source = toString gerrit_cfgfile; |
| 187 | matchers."gerrit_email_private_key".secret = |
| 188 | config.sops.secrets.gerrit_email_private_key.path; |
| 189 | matchers."gerrit_oauth_client_secret".secret = |
| 190 | config.sops.secrets.gerrit_oauth_client_secret.path; |
| 191 | owner = config.users.users.nobody.name; |
| 192 | group = "gerrit"; |
| 193 | mode = "0040"; |
| 194 | }; |
| 195 | |
| 196 | systemd.services.gerrit.preStart = base.config.systemd.services.gerrit.preStart + '' |
| 197 | rm etc/gerrit.config |
| 198 | ln -sfv ${config.scalpel.trafos."gerrit.conf".destination} etc/gerrit.config |
| 199 | ''; |
| 200 | } |
| 201 | else {} |
| 202 | ) |