fix(monorepo-gerrit): Configure nginx reverse proxy correctly r/904

Configures the reverse-proxy as per Gerrit's documentation at
https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html

2 files changed, 9 insertions, 3 deletions

diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
index 41f4b318ae9c..c14a5c8f7553 100644
--- a/ops/nixos/camden/default.nix
+++ b/ops/nixos/camden/default.nix
@@ -411,6 +411,8 @@ in lib.fix(self: {
       extraConfig = ''
         location / {
           proxy_pass http://localhost:4778;
+          proxy_set_header  X-Forwarded-For $remote_addr;
+          proxy_set_header  Host $host;
         }
       '';
     };
diff --git a/ops/nixos/modules/monorepo-gerrit.nix b/ops/nixos/modules/monorepo-gerrit.nix
index 6721b1c5fd15..52a96990c975 100644
--- a/ops/nixos/modules/monorepo-gerrit.nix
+++ b/ops/nixos/modules/monorepo-gerrit.nix
@@ -1,7 +1,8 @@
 # Gerrit configuration for the TVL monorepo
 { pkgs, config, lib, ... }:
 
-{
+let cfg = config.services.gerrit;
+in {
   services.gerrit = {
     enable = true;
     listenAddress = "[::]:4778"; # 4778 - grrt
@@ -10,7 +11,11 @@
       core.packedGitLimit = "100m";
       log.jsonLogging = true;
       log.textLogging = false;
-      # TODO: gitweb config
+
+      # Configures gerrit for being reverse-proxied by nginx as per
+      # https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
+      gerrit.canonicalWebUrl = "https://cl.tvl.fyi";
+      httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
 
       # Configures integration with the locally running OpenLDAP
       auth.type = "LDAP";
@@ -21,7 +26,6 @@
         accountFullName = "cn";
         accountEmailAddress = "mail";
         groupBase = "ou=groups,dc=tvl,dc=fyi";
-        gerrit.canonicalWebUrl = "https://cl.tvl.fyi";
 
         # TODO(tazjin): Assuming this is what we'll be doing ...
         groupMemberPattern = "(&(objectClass=group)(member=\${dn}))";