fix(monorepo-gerrit): Disable 'DynamicUser' feature for Gerrit r/907

This change makes Gerrit run as the 'git' user, which can be shared by other services such as hound or cgit to access the git trees. Change-Id: Ic6c91f3e852184f5ef21f4374738cbf687462194 Reviewed-on: https://cl.tvl.fyi/c/depot/+/21 Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: isomer <isomer@tvl.in>
author: Vincent Ambo <tazjin@google.com> 2020-06-11T21·47+0000
committer: tazjin <mail@tazj.in> 2020-06-11T21·52+0000
commit: 78757536598087ef73ef16297882cf38e30aa0fc (patch)
tree: 4f7c700aab27f61ab331fbedf5bd92b5653f434e
parent: ea3cab8755efd8f1d66644997a9b34963e5c5cd4 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/ops/nixos/modules/monorepo-gerrit.nix b/ops/nixos/modules/monorepo-gerrit.nix
index c0a06caee92c..f09258a498eb 100644
--- a/ops/nixos/modules/monorepo-gerrit.nix
+++ b/ops/nixos/modules/monorepo-gerrit.nix
@@ -33,4 +33,17 @@ in {
       };
     };
   };
+
+  systemd.services.gerrit = {
+    serviceConfig = {
+      # There seems to be no easy way to get `DynamicUser` to play
+      # well with other services (e.g. by using SupplementaryGroups,
+      # which seem to have no effect) so we force the DynamicUser
+      # setting for the Gerrit service to be disabled and reuse the
+      # existing 'git' user.
+      DynamicUser = lib.mkForce false;
+      User = "git";
+      Group = "git";
+    };
+  };
 }
author	Vincent Ambo <tazjin@google.com>	2020-06-11T21·47+0000
committer	tazjin <mail@tazj.in>	2020-06-11T21·52+0000
commit	78757536598087ef73ef16297882cf38e30aa0fc (patch)
tree	4f7c700aab27f61ab331fbedf5bd92b5653f434e
parent	ea3cab8755efd8f1d66644997a9b34963e5c5cd4 (diff)