# Gerrit configuration for the TVL monorepo { depot, pkgs, config, lib, ... }: let cfg = config.services.gerrit; gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" {} '' mkdir -p $out ln -s ${depot.ops.besadii}/bin/besadii $out/ref-updated ''; in { services.gerrit = { enable = true; listenAddress = "[::]:4778"; # 4778 - grrt serverId = "4fdfa107-4df9-4596-8e0a-1d2bbdd96e36"; builtinPlugins = [ "download-commands" "hooks" ]; plugins = with depot.third_party.gerrit_plugins; [ checks owners oauth ]; package = depot.third_party.gerrit; jvmHeapLimit = "4g"; settings = { core.packedGitLimit = "100m"; log.jsonLogging = true; log.textLogging = false; sshd.advertisedAddress = "code.tvl.fyi:29418"; hooks.path = "${gerritHooks}"; cache.web_sessions.maxAge = "3 months"; plugins.allowRemoteAdmin = false; change.enableAttentionSet = true; change.enableAssignee = false; # Configures gerrit for being reverse-proxied by nginx as per # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html gerrit = { canonicalWebUrl = "https://cl.tvl.fyi"; docUrl = "/Documentation"; }; httpd.listenUrl = "proxy-https://${cfg.listenAddress}"; download.command = [ "checkout" "cherry_pick" "format_patch" "pull" ]; # Configure for cgit. gitweb = { type = "custom"; url = "https://code.tvl.fyi"; project = "/"; revision = "/commit/?id=\${commit}"; branch = "/log/?h=\${branch}"; tag = "/tag/?h=\${tag}"; roottree = "/tree/?h=\${commit}"; file = "/tree/\${file}?h=\${commit}"; filehistory = "/log/\${file}?h=\${branch}"; linkname = "cgit"; }; # Auto-link panettone bug links commentlink.panettone = { match = "b/(\\\\d+)"; html = "<a href=\"https://b.tvl.fyi/issues/$1\">b/$1</a>"; }; # Configures integration with CAS, which then integrates with a variety # of backends. auth.type = "OAUTH"; plugin.gerrit-oauth-provider-cas-oauth = { root-url = "https://login.tvl.fyi"; client-id = "OAUTH-TVL-gerrit-Fv0d8Aizz5"; # client-secret is set in /var/lib/gerrit/etc/secure.config. }; # Use Gerrit's built-in HTTP passwords, rather than trying to use the # password against the backing OAuth provider. auth.gitBasicAuthPolicy = "HTTP"; # Email sending (emails are relayed via the tazj.in domain's # GSuite currently). # # Note that sendemail.smtpPass is stored in # $site_path/etc/secure.config and is *not* controlled by Nix. # # Receiving email is not currently supported. sendemail = { enable = true; html = false; connectTimeout = "10sec"; from = "TVL Code Review <tvlbot@tazj.in>"; includeDiff = true; smtpEncryption = "none"; smtpServer = "localhost"; smtpServerPort = 2525; }; }; }; systemd.services.gerrit = { serviceConfig = { # There seems to be no easy way to get `DynamicUser` to play # well with other services (e.g. by using SupplementaryGroups, # which seem to have no effect) so we force the DynamicUser # setting for the Gerrit service to be disabled and reuse the # existing 'git' user. DynamicUser = lib.mkForce false; User = "git"; Group = "git"; }; }; }