feat(ops/modules): add module for receiving a depot replica
This module sets up a user with an SSH key and permissions to receive a (pushed) replica of depot from Gerrit. This still needs appropriate configuration in Gerrit's replication plugin on the other end. This module has been enabled for sanduny. For now it does not (yet) configure git serving. Change-Id: I0fb6f7e696609e71008308e855bdf305dcbcd4f7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5913 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
		
							parent
							
								
									255750471b
								
							
						
					
					
						commit
						6ab6724e4c
					
				
					 2 changed files with 49 additions and 0 deletions
				
			
		|  | @ -14,6 +14,7 @@ let | |||
| in | ||||
| { | ||||
|   imports = [ | ||||
|     (mod "depot-replica.nix") | ||||
|     (mod "journaldriver.nix") | ||||
|     (mod "known-hosts.nix") | ||||
|     (mod "tvl-cache.nix") | ||||
|  | @ -76,6 +77,9 @@ in | |||
|     preserveGenerations = "90d"; | ||||
|   }; | ||||
| 
 | ||||
|   # Allow Gerrit to replicate depot to /var/lib/depot | ||||
|   services.depot.replica.enable = true; | ||||
| 
 | ||||
|   time.timeZone = "UTC"; | ||||
| 
 | ||||
|   # GRUB does not actually need to be installed on disk; Bitfolk have | ||||
|  |  | |||
							
								
								
									
										45
									
								
								ops/modules/depot-replica.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										45
									
								
								ops/modules/depot-replica.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,45 @@ | |||
| # Configuration for receiving a depot replica from Gerrit's | ||||
| # replication plugin. | ||||
| # | ||||
| # This only prepares the user and folder for receiving the replica, | ||||
| # but Gerrit configuration still needs to be modified in addition. | ||||
| { config, depot, lib, pkgs, ... }: | ||||
| 
 | ||||
| let | ||||
|   cfg = config.services.depot.replica; | ||||
| in | ||||
| { | ||||
|   options.services.depot.replica = with lib; { | ||||
|     enable = mkEnableOption "Receive depot git replica from Gerrit"; | ||||
| 
 | ||||
|     key = mkOption { | ||||
|       description = "Public key to use for replication"; | ||||
|       type = types.str; | ||||
|       default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFFab9O1xaQ1TCyn+CxmXHexdlLzURREG+UR3Qdi3BvH"; | ||||
|     }; | ||||
| 
 | ||||
|     path = mkOption { | ||||
|       description = "Replication destination path (will be created)"; | ||||
|       type = types.str; | ||||
|       default = "/var/lib/depot"; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   config = lib.mkIf cfg.enable { | ||||
|     users.groups.depot = { }; | ||||
| 
 | ||||
|     users.users.depot = { | ||||
|       group = "depot"; | ||||
|       isSystemUser = true; | ||||
|       createHome = true; | ||||
|       home = cfg.path; | ||||
|       homeMode = "750"; # group can read depot | ||||
|       openssh.authorizedKeys.keys = lib.singleton cfg.key; | ||||
|       shell = pkgs.bashInteractive; # gerrit needs to run shell commands | ||||
|     }; | ||||
| 
 | ||||
|     environment.systemPackages = [ | ||||
|       pkgs.git | ||||
|     ]; | ||||
|   }; | ||||
| } | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue