maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snix/ops/modules/monorepo-gerrit.nix
Jade Lovelace be68d89901 fix(ops/gerrit): send mail with the triggering user's name on it 
We found this bug in Lix's config and noticed Snix had the same bug; see
4b9e84fa0a
and b47965fe8f.

Change-Id: I65b14839a62c4e779136c1c34750d15cedaaddc8
Reviewed-on: https://cl.snix.dev/c/snix/+/30605
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-07-28 20:34:03 +00:00

267 lines
7.9 KiB
Nix
Raw Blame History

# Gerrit configuration for the snix monorepo
{ depot, pkgs, config, lib, ... }:
let
cfg = config.services.gerrit;
gerritPackage = depot.third_party.nix-gerrit.gerrit_3_12;
gerritPlugins = depot.third_party.nix-gerrit.plugins_3_12;
besadiiWithConfig = name: pkgs.writeShellScript "besadii-gerrit01" ''
export BESADII_CONFIG=/run/agenix/gerrit-besadii-config
exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
'';
gerritHooks = pkgs.runCommand "gerrit-hooks" { } ''
mkdir -p $out
ln -s ${besadiiWithConfig "change-merged"} $out/change-merged
ln -s ${besadiiWithConfig "patchset-created"} $out/patchset-created
'';
in
{
networking.firewall.allowedTCPPorts = [ 29418 ];
services.gerrit = {
enable = true;
listenAddress = "[::]:4778"; # 4778 - grrt
serverId = "b4813230-0b9b-46cb-b400-dcbed70f87e6";
builtinPlugins = [
"download-commands"
"hooks"
"replication"
"webhooks"
];
plugins = with gerritPlugins; [
code-owners
oauth
(depot.ops.gerrit-tvl {
gerrit = gerritPackage;
})
];
package = gerritPackage;
jvmHeapLimit = "4g";
# WARN(raito): keep this synchronized with the Gerrit version!
jvmPackage = pkgs.openjdk21_headless;
jvmOpts = [
# https://bugs.openjdk.org/browse/JDK-8170568 someday… !
"-Djava.net.preferIPv6Addresses=system"
];
settings = {
core.packedGitLimit = "100m";
log.jsonLogging = true;
log.textLogging = false;
sshd.advertisedAddress = "cl.snix.dev:29418";
hooks.path = "${gerritHooks}";
cache.web_sessions.maxAge = "3 months";
plugins.allowRemoteAdmin = false;
change.enableAttentionSet = true;
change.enableAssignee = false;
# Configures gerrit for being reverse-proxied by nginx as per
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
gerrit = {
canonicalWebUrl = "https://cl.snix.dev";
docUrl = "/Documentation";
};
httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
download.command = [
"checkout"
"cherry_pick"
"format_patch"
"pull"
];
# Configure for cgit.
# gitweb = {
# type = "custom";
# url = "https://code.snix.dev";
# project = "/";
# revision = "/commit/?id=\${commit}";
# branch = "/log/?h=\${branch}";
# tag = "/tag/?h=\${tag}";
# roottree = "/tree/?h=\${commit}";
# file = "/tree/\${file}?h=\${commit}";
# filehistory = "/log/\${file}?h=\${branch}";
# linkname = "cgit";
# };
# # Auto-link panettone bug links
# commentlink.panettone = {
# match = "b/(\\d+)";
# link = "https://b.tvl.fyi/issues/$1";
# };
commentlink = {
# Auto-link other CLs
gerrit = {
match = "cl/(\\d+)";
link = "https://cl.snix.dev/q/$1";
};
# Auto-link Forgejo issues
forgejo = {
match = "#(\\d+)";
link = "https://git.snix.dev/snix/snix/issues/$1";
};
};
# Configures integration with Keycloak, which then integrates with a
# variety of backends.
auth.type = "OAUTH";
plugin.gerrit-oauth-provider-keycloak-oauth = {
root-url = "https://auth.snix.dev/";
realm = "snix-project";
client-id = "gerrit";
# client-secret is set in /var/lib/gerrit/etc/secure.config.
};
plugin.code-owners = {
# A Code-Review +2 vote is required from a code owner.
requiredApproval = "Code-Review+2";
# The OWNERS check can be overriden using an Owners-Override vote.
overrideApproval = "Owners-Override+1";
# People implicitly approve their own changes automatically.
enableImplicitApprovals = "TRUE";
disabledBranch = "refs/meta/config";
};
plugin.webhooks = {
connectionTimeout = 3000;
socketTimeout = 2500;
maxTries = 5;
retryInterval = 5000;
threadPoolSize = 3;
};
# Allow users to add additional email addresses to their accounts.
oauth.allowRegisterNewEmail = true;
# Use Gerrit's built-in HTTP passwords, rather than trying to use the
# password against the backing OAuth provider.
auth.gitBasicAuthPolicy = "HTTP";
# Used for system-authored commits
user = {
name = "Snix Gerrit";
email = "gerrit@snix.dev";
};
# Email sending
#
# Note that sendemail.smtpPass is stored in
# $site_path/etc/secure.config and is *not* controlled by Nix.
#
# Receiving email is not currently supported.
sendemail = {
enable = true;
html = true; # multi-part, both html and plaintext
connectTimeout = "10sec";
# Include the name of the user triggering the mailing.
# See:
# https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#user.email
from = "\${user} (Snix Gerrit) <gerrit@snix.dev>";
includeDiff = true;
smtpEncryption = "tls";
smtpServer = "smtp.postmarkapp.com";
smtpUser = "PM-T-snix-gerrit-2reTInskye8FLoYt11_";
smtpServerPort = 2525;
};
};
# Replication of the snix repository to secondary machines, for
# serving forgejo.
replicationSettings = {
gerrit.replicateOnStartup = true;
# Replicate to our forgejo instance.
remote.forgejo = {
url = "git@git.snix.dev:snix/snix.git";
push = [
"+refs/heads/*:refs/heads/*"
"+refs/tags/*:refs/tags/*"
"+refs/meta/config:refs/meta/config"
];
timeout = 30;
threads = 3;
remoteNameStyle = "dash";
mirror = true;
replicatePermissions = true;
projects = [ "snix" ];
};
};
};
systemd.services.gerrit = {
serviceConfig = {
# There seems to be no easy way to get `DynamicUser` to play
# well with other services (e.g. by using SupplementaryGroups,
# which seem to have no effect) so we force the DynamicUser
# setting for the Gerrit service to be disabled and reuse the
# existing 'git' user.
DynamicUser = lib.mkForce false;
User = "git";
Group = "git";
};
};
# Taken from Lix.
# Before starting gerrit, we'll want to create a "secure auth" file that contains our secrets.
systemd.services.gerrit-keys = {
enable = true;
before = [ "gerrit.service" ];
wantedBy = [ "gerrit.service" ];
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "true";
WorkingDirectory = "/var/lib/gerrit";
};
path = [ pkgs.git ];
script = ''
CONF=etc/secure.config
# Ensure our config file is accessible to gerrit.
touch $CONF
chmod 600 $CONF
# Configure the SSH replication material
mkdir -p /var/lib/git/.ssh
cp ${config.age.secrets.gerrit-replication-key.path} /var/lib/git/.ssh/id_replication
cat > /var/lib/git/.ssh/config <<EOF
Host *
IdentityFile /var/lib/git/.ssh/id_replication
EOF
chmod 600 /var/lib/git/.ssh/id_replication
chmod 600 /var/lib/git/.ssh/config
chmod 700 /var/lib/git/.ssh
cp -L /etc/ssh/ssh_known_hosts /var/lib/git/.ssh/known_hosts
chmod 600 /var/lib/git/.ssh/known_hosts
chown -R git:git /var/lib/git/.ssh
# ... and finally, plop our secrets inside, and give the file to gerrit.
git config -f $CONF plugin.gerrit-oauth-provider-keycloak-oauth.client-secret \
"$(cat ${config.age.secrets.gerrit-oauth-secret.path})"
git config -f $CONF sendemail.smtpPass \
"$(cat ${config.age.secrets.gerrit-sendemail-smtp-pass.path})"
chown git:git $CONF
'';
};
services.depot.restic = {
paths = [ "/var/lib/gerrit" ];
exclude = [ "/var/lib/gerrit/tmp" ];
};
}
Reference in a new issue View git blame Copy permalink