infra/services/gerrit/default.nix

187 lines
5.5 KiB
Nix
Raw Permalink Normal View History

# Gerrit configuration for the Nixpkgs monorepo
# Inspired from TVL configuration.
{ pkgs, config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption types;
cfgGerrit = config.services.gerrit;
cfg = config.bagel.services.gerrit;
in
{
options.bagel.services.gerrit = {
enable = mkEnableOption "Gerrit";
domains = mkOption {
type = types.listOf types.str;
description = "List of domains that Gerrit will answer to";
};
data = mkOption {
type = types.path;
default = "/var/lib/gerrit";
description = "Root of data directory for the Gerrit";
};
};
imports = [
./www.nix
];
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 29418 ];
fileSystems."/var/lib/gerrit" = mkIf (cfg.data != "/var/lib/gerrit") {
device = cfg.data;
options = [ "bind" ];
};
users.users.git = {
isSystemUser = true;
group = "git";
};
users.groups.git = {};
services.gerrit = {
enable = true;
listenAddress = "[::]:4778"; # 4778 - grrt
serverId = "9e5216ad-038d-4d74-a4e8-716515834a94";
builtinPlugins = [
"gitiles"
"codemirror-editor"
"reviewnotes"
"download-commands"
"hooks"
"replication"
"webhooks"
];
plugins = with pkgs.gerritPlugins; [
oauth
];
package = pkgs.gerrit;
jvmHeapLimit = "32g";
# In some NixOS channel bump, the default version of OpenJDK has
# changed to one that is incompatible with our current version of
# Gerrit.
#
# TODO(tazjin): Update Gerrit and remove this when possible.
jvmPackage = pkgs.openjdk17_headless;
settings = {
sshd.threads = 64;
sshd.batchThreads = 8;
gc.interval = "1 day";
database.poolLimit = "250";
database.poolMaxIdle = 16;
http.maxThreads = 100;
core.packedGitLimit = "4g";
core.packedGitWindowSize = "16k";
core.packedGitOpenFiles = "4096";
receive.timeout = "4min";
transfer.timeout = "4min";
pack.threads = "8";
log.jsonLogging = true;
log.textLogging = false;
sshd.advertisedAddress = "cl.forkos.org:29418";
cache.web_sessions.maxAge = "3 months";
plugins.allowRemoteAdmin = false;
change.enableAttentionSet = true;
change.enableAssignee = false;
# Configures gerrit for being reverse-proxied by nginx as per
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
gerrit = {
canonicalWebUrl = "https://cl.forkos.org";
docUrl = "/Documentation";
};
httpd.listenUrl = "proxy-https://${cfgGerrit.listenAddress}";
download.command = [
"checkout"
"cherry_pick"
"format_patch"
"pull"
];
# Auto-link other CLs
commentlink.gerrit = {
match = "cl/(\\d+)";
link = "https://cl.forkos.org/$1";
};
# Configures integration with Keycloak, which then integrates with a
# variety of backends.
auth.type = "OAUTH";
plugin.gerrit-oauth-provider-keycloak-oauth = {
root-url = "https://identity.lix.systems";
realm = "lix-project";
client-id = "raito-gerrit-testing";
# client-secret is set in /var/lib/gerrit/etc/secure.config.
};
plugin.code-owners = {
# A Code-Review +2 vote is required from a code owner.
requiredApproval = "Code-Review+2";
# The OWNERS check can be overriden using an Owners-Override vote.
overrideApproval = "Owners-Override+1";
# People implicitly approve their own changes automatically.
enableImplicitApprovals = "TRUE";
};
# Allow users to add additional email addresses to their accounts.
oauth.allowRegisterNewEmail = true;
# Use Gerrit's built-in HTTP passwords, rather than trying to use the
# password against the backing OAuth provider.
auth.gitBasicAuthPolicy = "HTTP";
# Email sending (emails are relayed via the tazj.in domain's
# GSuite currently).
#
# Note that sendemail.smtpPass is stored in
# $site_path/etc/secure.config and is *not* controlled by Nix.
#
# Receiving email is not currently supported.
sendemail.enable = false;
#sendemail = {
# enable = false;
# html = false;
# connectTimeout = "10sec";
# from = "TVL Code Review <tvlbot@tazj.in>";
# includeDiff = true;
# smtpEncryption = "none";
# smtpServer = "localhost";
# smtpServerPort = 2525;
#};
};
# Replication of the depot repository to secondary machines, for
# serving cgit/josh.
#replicationSettings = {
# gerrit.replicateOnStartup = true;
# remote.sanduny = {
# url = "depot@sanduny.tvl.su:/var/lib/depot";
# projects = "depot";
# };
#};
};
systemd.services.gerrit = {
serviceConfig = {
# There seems to be no easy way to get `DynamicUser` to play
# well with other services (e.g. by using SupplementaryGroups,
# which seem to have no effect) so we force the DynamicUser
# setting for the Gerrit service to be disabled and reuse the
# existing 'git' user.
DynamicUser = lib.mkForce false;
User = "git";
Group = "git";
};
};
};
}