the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 8 Packages Projects 1 Releases Wiki Activity

gerrit01: those who finetune even further #20

Merged
raito merged 5 commits from gerrit-finetuning into main 2024-07-05 12:37:48 +00:00
Conversation 0 Commits 5 Files changed 7 +59 -9
3 changed files with 59 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit f328f5776c - Show all commits

1
common/sysadmin/default.nix
View file

@ -17,6 +17,7 @@ in
pv pv
kitty.terminfo kitty.terminfo
config.boot.kernelPackages.perf config.boot.kernelPackages.perf
bcc
tcpdump tcpdump
ncdu ncdu
] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru; ] ++ lib.optional (lib.hasAttr "pwru" pkgs) pkgs.pwru;

54
services/gerrit/default.nix
View file

@ -28,6 +28,8 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 29418 ]; networking.firewall.allowedTCPPorts = [ 29418 ];
environment.systemPackages = [ pkgs.openjdk17_headless ];
fileSystems."/var/lib/gerrit" = mkIf (cfg.data != "/var/lib/gerrit") { fileSystems."/var/lib/gerrit" = mkIf (cfg.data != "/var/lib/gerrit") {
device = cfg.data; device = cfg.data;
options = [ "bind" ]; options = [ "bind" ];
@ -70,18 +72,49 @@ in
jvmPackage = pkgs.openjdk17_headless; jvmPackage = pkgs.openjdk17_headless;
settings = { settings = {
# Performance settings
sshd.threads = 64; sshd.threads = 64;
sshd.batchThreads = 8; sshd.batchThreads = 8;
gc.aggressive = true;
gc.interval = "1 day"; gc.interval = "1 day";
database.poolLimit = "250";
database.poolLimit = 250;
database.poolMaxIdle = 16; database.poolMaxIdle = 16;
http.maxThreads = 100;
core.packedGitLimit = "4g"; httpd.maxThreads = 100;
core.packedGitWindowSize = "16k";
core.packedGitOpenFiles = "4096";
receive.timeout = "4min"; receive.timeout = "4min";
transfer.timeout = "4min"; # Default is 0, infinite.
pack.threads = "8"; transfer.timeout = "30min";
# We may overshoot but it's OK.
core.packedGitWindowSize = "256k";
# Sum of all current packfiles is ~1.2G
# Largest packfile is 906MB.
# Average packfile is ~5-10MB.
core.packedGitLimit = "1g";
# We have plenty of memory, let's avoid file system cache → Gerrit needless copies.
core.packedGitUseStrongRefs = true;
core.packedGitOpenFiles = 4096;
# Big files in nixpkgs are usually lockfiles or machine-generated expressions
# containing a lot of hashes, they would weigh at most ~15MB.
core.streamFileThreshold = "20m";
# `mmap()` rather than `mmap()+read()` at the risk of running out of virtual address space.
core.packedGitMmap = true;
## Takes more CPU but the transfer is smaller.
pack.deltacompression = false;
pack.threads = 8;
# FIXME(raito):
# Are we supposed to have private / hidden references?
lukegb commented 2024-07-05 13:34:29 +00:00
Review
Copy link

If we ever decide to put effort into being able to receive embargoed patchsets, we'll likely need this.

If we ever decide to put effort into being able to receive embargoed patchsets, we'll likely need this.
# For a public server, that seems unlikely.
# But, we should be careful with this option.
# https://gerrit-documentation.storage.googleapis.com/Documentation/3.9.5/config-gerrit.html#receive.checkReferencedObjectsAreReachable
receive.checkReferencedObjectsAreReachable = false;
# Other settings
log.jsonLogging = true; log.jsonLogging = true;
log.textLogging = false; log.textLogging = false;
sshd.advertisedAddress = "cl.forkos.org:29418"; sshd.advertisedAddress = "cl.forkos.org:29418";
@ -90,11 +123,18 @@ in
change.enableAttentionSet = true; change.enableAttentionSet = true;
change.enableAssignee = false; change.enableAssignee = false;
user = {
name = "ForkOS Gerrit";
email = "gerrit@forkos.org";
anonymousCoward = "ForkOS contributor";
};
# Configures gerrit for being reverse-proxied by nginx as per # Configures gerrit for being reverse-proxied by nginx as per
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
gerrit = { gerrit = {
canonicalWebUrl = "https://cl.forkos.org"; canonicalWebUrl = "https://cl.forkos.org";
docUrl = "/Documentation"; docUrl = "/Documentation";
defaultBranch = "refs/heads/main";
}; };
httpd.listenUrl = "proxy-https://${cfgGerrit.listenAddress}"; httpd.listenUrl = "proxy-https://${cfgGerrit.listenAddress}";

13
services/gerrit/www.nix
View file

@ -12,21 +12,30 @@ in
add_header Permissions-Policy "interest-cohort=()"; add_header Permissions-Policy "interest-cohort=()";
''; '';
recommendedProxySettings = false; recommendedProxySettings = false;
commonHttpConfig = ''
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
'';
}; };
services.nginx.virtualHosts.gerrit = { services.nginx.virtualHosts.gerrit = {
serverName = builtins.head cfg.domains; serverName = builtins.head cfg.domains;
serverAliases = builtins.tail cfg.domains; serverAliases = builtins.tail cfg.domains;
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
access_log /var/log/nginx/gerrit-access.log upstream_time;
location / { location / {
proxy_pass http://localhost:4778; proxy_pass http://localhost:4778;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88. # The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
proxy_set_header Host $host:443; proxy_set_header Host $host:443;
# Gerrit can throw a lot of data. # Gerrit can throw a lot of data.
proxy_buffering off; proxy_buffering on;
# NGINX should not give up super fast. Things can take time.
proxy_read_timeout 3600;
} }
location = /robots.txt { location = /robots.txt {