modules/common/gerrit.nix

{ pkgs, config, lib, base, system, gerrit-oauth, ... }:
let cfg = config.services.gerrit;
in lib.recursiveUpdate {
  users.users.gerrit = {
    isSystemUser = true;
    createHome = true;
    home = "/var/lib/gerrit";
    group = config.users.groups.gerrit.name;
    shell = pkgs.bashInteractive;
  };
  users.groups.gerrit = { };

  systemd.services.gerrit.serviceConfig.User = "gerrit";
  systemd.services.gerrit.serviceConfig.Group = "gerrit";
  systemd.services.gerrit.serviceConfig.DynamicUser = lib.mkForce false;

  services.gerrit = {
    enable = true;

    settings = {
      accounts = {
        visibility = "SAME_GROUP";
        defaultDisplayName = "FULL_NAME";
      };
      addReviewer = {
        maxWithoutConfirmation = 3;
        maxAllowed = 10;
      };
      auth = {
        type = "OAUTH";
        registerEmailPrivateKey = "!!gerrit_email_private_key!!";
        userNameCaseInsensitive = true;
        gitBasicAuthPolicy = "HTTP";
      };
      plugin."gerrit-oauth-provider-keycloak-oauth" = {
        root-url = "https://login.clicks.codes";
        realm = "master";
        client-id = "git";
        client-secret = "!!gerrit_oauth_client_secret!!";
        use-preferred-username = true;
      };
      change = {
        topicLimit = 0;
        mergeabilityComputationBehavior = "API_REF_UPDATED_AND_CHANGE_REINDEX";
        sendNewPatchsetEmails = false;
        showAssigneeInChangesTable = true;
        submitWholeTopic = true;
        diff3ConflictView = true;
      };
      changeCleanup = {
        abandonAfter = "3 weeks";
        abandonMessage =
          "This change was abandoned due to 3 weeks of inactivity. If you still want it, please restore it";
        startTime = "00:00";
        interval = "1 day";
      };
      attentionSet = {
        readdAfter = "1 week";
        readdMessage =
          "I've given the owner a *ping* as nothing has happened for a week. If in two weeks time the change is still inactive, I'll abandon it for you. If you still want it, please do something before then";
        startTime = "00:00";
        interval = "1 day";
      };
      commentlink.gerrit = {
        match = "(I[0-9a-f]{8,40})";
        link = "/q/$1";
      };
      gc = {
        aggressive = true;
        startTime = "Sun 00:00";
        interval = "1 week";
      };
      gerrit = {
        basePath = "/var/lib/gerrit/repos";
        defaultBranch = "refs/heads/main";
        canonicalWebUrl = "https://git.clicks.codes/";
        canonicalGitUrl = "ssh://ssh.clicks.codes/";
        gitHttpUrl = "https://git.clicks.codes/";
        reportBugUrl =
          "https://discord.gg/bPaNnxe"; # TODO: kinda obnoxious, better to setup openproject
        enablePeerIPInReflogRecord = true;
        instanceId = "clicks";
        instanceName = "Clicks Gerrit";
      };
      mimetype = lib.pipe [ "image/*" "video/*" "application/pdf" ] [
        (map (name: {
          inherit name;
          value.safe = true;
        }))
        builtins.listToAttrs
      ];
      sendemail = {
        enable = true;
        smtpServer = "mail.clicks.codes";
        smtpUser = "git";
        smtpPass = "!!gerrit_email_password!!";
      };
      receiveemail = {
        enable = true;
        protocol = "IMAP";
        host = "mail.clicks.codes";
        username = "git@clicks.codes";
        password = "!!gerrit_email_password!!";
        encryption = "SSL";
        enableImapIdle = true;
      };
      sshd.advertisedAddress = "ssh.clicks.codes:29418";
      user = {
        name = "Clicks Gerrit";
        email = "git@clicks.codes";
        anonymousCoward = "Anonymous";
      };
      httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
    };

    plugins = [
      (builtins.path { path = gerrit-oauth; name = "oauth.jar"; })
    ];
    builtinPlugins = [
      "codemirror-editor"
      "commit-message-length-validator"
      "delete-project"
      "download-commands"
      "gitiles"
      "hooks"
      "reviewnotes"
      "singleusergroup"
      "webhooks"
    ];
    serverId = "45f277d0-fce7-43b7-9eb3-2e3234e0110f";

    listenAddress = "127.0.0.255:1024";
  };

  sops.secrets = {
    gerrit_email_private_key = {
      mode = "0400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
      sopsFile = ../../secrets/gerrit.json;
      format = "json";
    };
    gerrit_oauth_client_secret = {
      mode = "0400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
      sopsFile = ../../secrets/gerrit.json;
      format = "json";
    };
    gerrit_email_password = {
      mode = "0400";
      owner = config.users.users.root.name;
      group = config.users.users.root.group;
      sopsFile = ../../secrets/gerrit.json;
      format = "json";
    };
  };
} (let isDerived = base != null;
in if isDerived then
  let
    gerrit_cfgfile =
      pkgs.writeText "gerrit.conf" (lib.generators.toGitINI cfg.settings);
  in {
    scalpel.trafos."gerrit.conf" = {
      source = toString gerrit_cfgfile;
      matchers."gerrit_email_private_key".secret =
        config.sops.secrets.gerrit_email_private_key.path;
      matchers."gerrit_oauth_client_secret".secret =
        config.sops.secrets.gerrit_oauth_client_secret.path;
      matchers."gerrit_email_password".secret =
        config.sops.secrets.gerrit_email_password.path;
      owner = config.users.users.root.name;
      group = "gerrit";
      mode = "0040";
    };

    systemd.services.gerrit.preStart =
      base.config.systemd.services.gerrit.preStart + ''
        rm etc/gerrit.config
        ln -sfv ${
          config.scalpel.trafos."gerrit.conf".destination
        } etc/gerrit.config
      '';
  }
else
  { })