the-infra/services/gerrit/www.nix
raito 0b01e9a99f gerrit01: those who finetune even further
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-07-05 12:23:44 +02:00

50 lines
1.6 KiB
Nix

{ config, lib, ... }:
let
inherit (lib) mkIf;
cfg = config.bagel.services.gerrit;
in
{
config = mkIf cfg.enable {
services.nginx = {
enable = true;
enableReload = true;
appendHttpConfig = ''
add_header Permissions-Policy "interest-cohort=()";
'';
recommendedProxySettings = false;
commonHttpConfig = ''
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
'';
};
services.nginx.virtualHosts.gerrit = {
serverName = builtins.head cfg.domains;
serverAliases = builtins.tail cfg.domains;
enableACME = true;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/gerrit-access.log upstream_time;
location / {
proxy_pass http://localhost:4778;
proxy_set_header X-Forwarded-For $remote_addr;
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
proxy_set_header Host $host:443;
# Gerrit can throw a lot of data.
proxy_buffering on;
# NGINX should not give up super fast. Things can take time.
proxy_read_timeout 3600;
}
location = /robots.txt {
return 200 'User-agent: *\nAllow: /';
}
'';
};
networking.firewall.allowedTCPPorts = [ 443 80 ];
};
}