# Gerrit configuration for the Nixpkgs monorepo # Inspired from TVL configuration. { pkgs, config, lib, ... }: let inherit (lib) mkEnableOption mkIf mkOption types; cfgGerrit = config.services.gerrit; cfg = config.bagel.services.gerrit; jdk = pkgs.openjdk21_headless; in { options.bagel.services.gerrit = { enable = mkEnableOption "Gerrit"; domains = mkOption { type = types.listOf types.str; description = "List of domains that Gerrit will answer to"; }; data = mkOption { type = types.path; default = "/var/lib/gerrit"; description = "Root of data directory for the Gerrit"; }; }; imports = [ ./www.nix ]; config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 29418 ]; environment.systemPackages = [ jdk ]; fileSystems."/var/lib/gerrit" = mkIf (cfg.data != "/var/lib/gerrit") { device = cfg.data; options = [ "bind" ]; }; users.users.git = { isSystemUser = true; group = "git"; }; users.groups.git = {}; services.gerrit = { enable = true; listenAddress = "[::]:4778"; # 4778 - grrt serverId = "9e5216ad-038d-4d74-a4e8-716515834a94"; builtinPlugins = [ "gitiles" "codemirror-editor" "reviewnotes" "download-commands" "hooks" "replication" "webhooks" ]; plugins = with pkgs.gerritPlugins; [ oauth ]; package = pkgs.gerrit; jvmHeapLimit = "32g"; jvmPackage = jdk; settings = { # Performance settings sshd.threads = 64; sshd.batchThreads = 8; gc.aggressive = true; gc.interval = "1 day"; database.poolLimit = 250; database.poolMaxIdle = 16; httpd.maxThreads = 100; receive.timeout = "4min"; # Default is 0, infinite. transfer.timeout = "30min"; # We may overshoot but it's OK. core.packedGitWindowSize = "256k"; # Sum of all current packfiles is ~1.2G # Largest packfile is 906MB. # Average packfile is ~5-10MB. core.packedGitLimit = "1g"; # We have plenty of memory, let's avoid file system cache → Gerrit needless copies. core.packedGitUseStrongRefs = true; core.packedGitOpenFiles = 4096; # Big files in nixpkgs are usually lockfiles or machine-generated expressions # containing a lot of hashes, they would weigh at most ~15MB. core.streamFileThreshold = "20m"; # `mmap()` rather than `mmap()+read()` at the risk of running out of virtual address space. core.packedGitMmap = true; ## Takes more CPU but the transfer is smaller. pack.deltacompression = false; pack.threads = 8; # FIXME(raito): # Are we supposed to have private / hidden references? # For a public server, that seems unlikely. # But, we should be careful with this option. # https://gerrit-documentation.storage.googleapis.com/Documentation/3.9.5/config-gerrit.html#receive.checkReferencedObjectsAreReachable receive.checkReferencedObjectsAreReachable = false; # Other settings log.jsonLogging = true; log.textLogging = false; sshd.advertisedAddress = "cl.forkos.org:29418"; cache.web_sessions.maxAge = "3 months"; plugins.allowRemoteAdmin = false; change.enableAttentionSet = true; change.enableAssignee = false; user = { name = "ForkOS Gerrit"; email = "gerrit@forkos.org"; anonymousCoward = "ForkOS contributor"; }; # Configures gerrit for being reverse-proxied by nginx as per # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html gerrit = { canonicalWebUrl = "https://cl.forkos.org"; docUrl = "/Documentation"; defaultBranch = "refs/heads/main"; }; httpd.listenUrl = "proxy-https://${cfgGerrit.listenAddress}"; download.command = [ "checkout" "cherry_pick" "format_patch" "pull" ]; # Auto-link other CLs commentlink.gerrit = { match = "cl/(\\d+)"; link = "https://cl.forkos.org/$1"; }; # Configures integration with Keycloak, which then integrates with a # variety of backends. auth.type = "OAUTH"; plugin.gerrit-oauth-provider-keycloak-oauth = { root-url = "https://identity.lix.systems"; realm = "lix-project"; client-id = "raito-gerrit-testing"; # client-secret is set in /var/lib/gerrit/etc/secure.config. }; plugin.code-owners = { # A Code-Review +2 vote is required from a code owner. requiredApproval = "Code-Review+2"; # The OWNERS check can be overriden using an Owners-Override vote. overrideApproval = "Owners-Override+1"; # People implicitly approve their own changes automatically. enableImplicitApprovals = "TRUE"; }; # Allow users to add additional email addresses to their accounts. oauth.allowRegisterNewEmail = true; # Use Gerrit's built-in HTTP passwords, rather than trying to use the # password against the backing OAuth provider. auth.gitBasicAuthPolicy = "HTTP"; # Email sending (emails are relayed via the tazj.in domain's # GSuite currently). # # Note that sendemail.smtpPass is stored in # $site_path/etc/secure.config and is *not* controlled by Nix. # # Receiving email is not currently supported. sendemail.enable = false; #sendemail = { # enable = false; # html = false; # connectTimeout = "10sec"; # from = "TVL Code Review "; # includeDiff = true; # smtpEncryption = "none"; # smtpServer = "localhost"; # smtpServerPort = 2525; #}; }; # Replication of the depot repository to secondary machines, for # serving cgit/josh. #replicationSettings = { # gerrit.replicateOnStartup = true; # remote.sanduny = { # url = "depot@sanduny.tvl.su:/var/lib/depot"; # projects = "depot"; # }; #}; }; systemd.services.gerrit = { serviceConfig = { # There seems to be no easy way to get `DynamicUser` to play # well with other services (e.g. by using SupplementaryGroups, # which seem to have no effect) so we force the DynamicUser # setting for the Gerrit service to be disabled and reuse the # existing 'git' user. DynamicUser = lib.mkForce false; User = "git"; Group = "git"; }; }; }; }