Previously the depot argument was provided as config.depot, but the "new way" of doing things (which is more like the args list provided in the rest of the depot) is to provide this as the "depot" NixOS module argument instead. Change-Id: Ib48b1c7c1bdff9c1eb0618c6cbacc22b651f5f98 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2763 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: glittershark <grfn@gws.fyi>
		
			
				
	
	
		
			123 lines
		
	
	
	
		
			3.6 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			123 lines
		
	
	
	
		
			3.6 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| # Gerrit configuration for the TVL monorepo
 | |
| { depot, pkgs, config, lib, ... }:
 | |
| 
 | |
| let
 | |
|   cfg = config.services.gerrit;
 | |
|   gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" {} ''
 | |
|     mkdir -p $out
 | |
|     ln -s ${depot.ops.besadii}/bin/besadii $out/ref-updated
 | |
|   '';
 | |
| in {
 | |
|   services.gerrit = {
 | |
|     enable = true;
 | |
|     listenAddress = "[::]:4778"; # 4778 - grrt
 | |
|     serverId = "4fdfa107-4df9-4596-8e0a-1d2bbdd96e36";
 | |
|     builtinPlugins = [
 | |
|       "download-commands"
 | |
|       "hooks"
 | |
|     ];
 | |
| 
 | |
|     plugins = with depot.third_party.gerrit_plugins; [
 | |
|       checks
 | |
|       owners
 | |
|     ];
 | |
| 
 | |
|     package = depot.third_party.gerrit;
 | |
| 
 | |
|     jvmHeapLimit = "4g";
 | |
| 
 | |
|     settings = {
 | |
|       core.packedGitLimit = "100m";
 | |
|       log.jsonLogging = true;
 | |
|       log.textLogging = false;
 | |
|       sshd.advertisedAddress = "code.tvl.fyi:29418";
 | |
|       hooks.path = "${gerritHooks}";
 | |
|       cache.web_sessions.maxAge = "3 months";
 | |
|       plugins.allowRemoteAdmin = false;
 | |
|       change.enableAttentionSet = true;
 | |
|       change.enableAssignee = false;
 | |
| 
 | |
|       # Configures gerrit for being reverse-proxied by nginx as per
 | |
|       # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
 | |
|       gerrit = {
 | |
|         canonicalWebUrl = "https://cl.tvl.fyi";
 | |
|         docUrl = "/Documentation";
 | |
|       };
 | |
| 
 | |
|       httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
 | |
| 
 | |
|       download.command = [
 | |
|         "checkout"
 | |
|         "cherry_pick"
 | |
|         "format_patch"
 | |
|         "pull"
 | |
|       ];
 | |
| 
 | |
|       # Configure for cgit.
 | |
|       gitweb = {
 | |
|         type = "custom";
 | |
|         url = "https://code.tvl.fyi";
 | |
|         project = "/";
 | |
|         revision = "/commit/?id=\${commit}";
 | |
|         branch = "/log/?h=\${branch}";
 | |
|         tag = "/tag/?h=\${tag}";
 | |
|         roottree = "/tree/?h=\${commit}";
 | |
|         file = "/tree/\${file}?h=\${commit}";
 | |
|         filehistory = "/log/\${file}?h=\${branch}";
 | |
|         linkname = "cgit";
 | |
|       };
 | |
| 
 | |
|       # Auto-link panettone bug links
 | |
|       commentlink.panettone = {
 | |
|         match = "b/(\\\\d+)";
 | |
|         html = "<a href=\"https://b.tvl.fyi/issues/$1\">b/$1</a>";
 | |
|       };
 | |
| 
 | |
|       # Configures integration with the locally running OpenLDAP
 | |
|       auth.type = "LDAP";
 | |
|       ldap = {
 | |
|         server = "ldap://localhost";
 | |
|         accountBase = "ou=users,dc=tvl,dc=fyi";
 | |
|         accountPattern = "(&(objectClass=organizationalPerson)(cn=\${username}))";
 | |
|         accountFullName = "displayName";
 | |
|         accountEmailAddress = "mail";
 | |
|         accountSshUserName = "cn";
 | |
|         groupBase = "ou=groups,dc=tvl,dc=fyi";
 | |
| 
 | |
|         # TODO(tazjin): Assuming this is what we'll be doing ...
 | |
|         groupMemberPattern = "(&(objectClass=group)(member=\${dn}))";
 | |
|       };
 | |
| 
 | |
|       # Email sending (emails are relayed via the tazj.in domain's
 | |
|       # GSuite currently).
 | |
|       #
 | |
|       # Note that sendemail.smtpPass is stored in
 | |
|       # $site_path/etc/secure.config and is *not* controlled by Nix.
 | |
|       #
 | |
|       # Receiving email is not currently supported.
 | |
|       sendemail = {
 | |
|         enable = true;
 | |
|         html = false;
 | |
|         connectTimeout = "10sec";
 | |
|         from = "TVL Code Review <tvlbot@tazj.in>";
 | |
|         includeDiff = true;
 | |
|         smtpEncryption = "none";
 | |
|         smtpServer = "localhost";
 | |
|         smtpServerPort = 2525;
 | |
|       };
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   systemd.services.gerrit = {
 | |
|     serviceConfig = {
 | |
|       # There seems to be no easy way to get `DynamicUser` to play
 | |
|       # well with other services (e.g. by using SupplementaryGroups,
 | |
|       # which seem to have no effect) so we force the DynamicUser
 | |
|       # setting for the Gerrit service to be disabled and reuse the
 | |
|       # existing 'git' user.
 | |
|       DynamicUser = lib.mkForce false;
 | |
|       User = "git";
 | |
|       Group = "git";
 | |
|     };
 | |
|   };
 | |
| }
 |