diff --git a/common/admins.nix b/common/admins.nix index 685411e..951558e 100644 --- a/common/admins.nix +++ b/common/admins.nix @@ -7,5 +7,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFsZ7PMDt80tYXHyScQajNhqH4wuYg/o0OxfOHaZD4rXuT0VIKflKH1M9LslfHWIEH3XNeqhQOziH9r+Ny5JcM=" + # k900 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOi9vgVGs+S5kEsUqHPvyMMh1Q9gqL4TcbHoe5d73tun" ]; } diff --git a/common/base-server.nix b/common/base-server.nix index b93a24d..4bfa9bf 100644 --- a/common/base-server.nix +++ b/common/base-server.nix @@ -1,7 +1,7 @@ { lib, pkgs, ... }: { nixpkgs.overlays = import ../overlays; - nix.package = pkgs.lix; + nix.package = lib.mkDefault pkgs.lix; services.openssh.enable = lib.mkForce true; networking.firewall.enable = true; diff --git a/common/raito-vm.nix b/common/raito-vm.nix index f9adc7d..a758605 100644 --- a/common/raito-vm.nix +++ b/common/raito-vm.nix @@ -32,6 +32,7 @@ in systemd.network.enable = true; security.acme.defaults.email = "bagel-acme@lahfa.xyz"; security.acme.acceptTerms = true; + networking.useDHCP = lib.mkDefault false; systemd.network.networks."10-nat-lan" = { matchConfig.Name = "nat-lan"; diff --git a/common/sysadmin/default.nix b/common/sysadmin/default.nix index f751705..8aa1110 100644 --- a/common/sysadmin/default.nix +++ b/common/sysadmin/default.nix @@ -17,6 +17,7 @@ in pv kitty.terminfo config.boot.kernelPackages.perf + bcc tcpdump ncdu ] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru; diff --git a/flake.nix b/flake.nix index 1410682..6ca61d5 100644 --- a/flake.nix +++ b/flake.nix @@ -74,7 +74,7 @@ inputs.hydra.nixosModules.hydra ./services - + ./common ./hosts/bagel-box ]; }; diff --git a/services/gerrit/default.nix b/services/gerrit/default.nix index 44ca7ae..065534e 100644 --- a/services/gerrit/default.nix +++ b/services/gerrit/default.nix @@ -28,6 +28,8 @@ in config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 29418 ]; + environment.systemPackages = [ pkgs.openjdk17_headless ]; + fileSystems."/var/lib/gerrit" = mkIf (cfg.data != "/var/lib/gerrit") { device = cfg.data; options = [ "bind" ]; @@ -70,18 +72,49 @@ in jvmPackage = pkgs.openjdk17_headless; settings = { + # Performance settings sshd.threads = 64; sshd.batchThreads = 8; + + gc.aggressive = true; gc.interval = "1 day"; - database.poolLimit = "250"; + + database.poolLimit = 250; database.poolMaxIdle = 16; - http.maxThreads = 100; - core.packedGitLimit = "4g"; - core.packedGitWindowSize = "16k"; - core.packedGitOpenFiles = "4096"; + + httpd.maxThreads = 100; + receive.timeout = "4min"; - transfer.timeout = "4min"; - pack.threads = "8"; + # Default is 0, infinite. + transfer.timeout = "30min"; + + # We may overshoot but it's OK. + core.packedGitWindowSize = "256k"; + # Sum of all current packfiles is ~1.2G + # Largest packfile is 906MB. + # Average packfile is ~5-10MB. + core.packedGitLimit = "1g"; + # We have plenty of memory, let's avoid file system cache → Gerrit needless copies. + core.packedGitUseStrongRefs = true; + core.packedGitOpenFiles = 4096; + # Big files in nixpkgs are usually lockfiles or machine-generated expressions + # containing a lot of hashes, they would weigh at most ~15MB. + core.streamFileThreshold = "20m"; + # `mmap()` rather than `mmap()+read()` at the risk of running out of virtual address space. + core.packedGitMmap = true; + + ## Takes more CPU but the transfer is smaller. + pack.deltacompression = false; + pack.threads = 8; + + # FIXME(raito): + # Are we supposed to have private / hidden references? + # For a public server, that seems unlikely. + # But, we should be careful with this option. + # https://gerrit-documentation.storage.googleapis.com/Documentation/3.9.5/config-gerrit.html#receive.checkReferencedObjectsAreReachable + receive.checkReferencedObjectsAreReachable = false; + + # Other settings log.jsonLogging = true; log.textLogging = false; sshd.advertisedAddress = "cl.forkos.org:29418"; @@ -90,11 +123,18 @@ in change.enableAttentionSet = true; change.enableAssignee = false; + user = { + name = "ForkOS Gerrit"; + email = "gerrit@forkos.org"; + anonymousCoward = "ForkOS contributor"; + }; + # Configures gerrit for being reverse-proxied by nginx as per # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html gerrit = { canonicalWebUrl = "https://cl.forkos.org"; docUrl = "/Documentation"; + defaultBranch = "refs/heads/main"; }; httpd.listenUrl = "proxy-https://${cfgGerrit.listenAddress}"; diff --git a/services/gerrit/www.nix b/services/gerrit/www.nix index 8ad815c..eaafabc 100644 --- a/services/gerrit/www.nix +++ b/services/gerrit/www.nix @@ -12,21 +12,30 @@ in add_header Permissions-Policy "interest-cohort=()"; ''; recommendedProxySettings = false; + commonHttpConfig = '' + log_format upstream_time '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"' + 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; + ''; }; services.nginx.virtualHosts.gerrit = { serverName = builtins.head cfg.domains; serverAliases = builtins.tail cfg.domains; enableACME = true; forceSSL = true; - extraConfig = '' + access_log /var/log/nginx/gerrit-access.log upstream_time; + location / { proxy_pass http://localhost:4778; proxy_set_header X-Forwarded-For $remote_addr; # The :443 suffix is a workaround for https://b.tvl.fyi/issues/88. proxy_set_header Host $host:443; # Gerrit can throw a lot of data. - proxy_buffering off; + proxy_buffering on; + # NGINX should not give up super fast. Things can take time. + proxy_read_timeout 3600; } location = /robots.txt {