diff options
author | Luke Granger-Brown <git@lukegb.com> | 2021-04-03T15·54+0000 |
---|---|---|
committer | lukegb <lukegb@tvl.fyi> | 2021-04-03T19·11+0000 |
commit | 8ae128af77223d91f2b3528f28a992830627a242 (patch) | |
tree | b754f4994e4592577c6504221208225de1a067a5 /ops/nixos/monorepo-gerrit.nix | |
parent | 81a7bd4765ac452f455ad817a08ef8f2532fe017 (diff) |
feat(monorepo-gerrit): use CAS for authentication r/2416
This drops the old LDAP configuration and uses CAS instead. All hail the hypnotoad. Change-Id: I515a213f09073bb52bfb75afe2988b935a076087 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2783 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
Diffstat (limited to 'ops/nixos/monorepo-gerrit.nix')
-rw-r--r-- | ops/nixos/monorepo-gerrit.nix | 25 |
1 files changed, 12 insertions, 13 deletions
diff --git a/ops/nixos/monorepo-gerrit.nix b/ops/nixos/monorepo-gerrit.nix index e9635879435e..1c8564e03251 100644 --- a/ops/nixos/monorepo-gerrit.nix +++ b/ops/nixos/monorepo-gerrit.nix @@ -20,6 +20,7 @@ in { plugins = with depot.third_party.gerrit_plugins; [ checks owners + oauth ]; package = depot.third_party.gerrit; @@ -73,21 +74,19 @@ in { html = "<a href=\"https://b.tvl.fyi/issues/$1\">b/$1</a>"; }; - # Configures integration with the locally running OpenLDAP - auth.type = "LDAP"; - ldap = { - server = "ldap://localhost"; - accountBase = "ou=users,dc=tvl,dc=fyi"; - accountPattern = "(&(objectClass=organizationalPerson)(cn=\${username}))"; - accountFullName = "displayName"; - accountEmailAddress = "mail"; - accountSshUserName = "cn"; - groupBase = "ou=groups,dc=tvl,dc=fyi"; - - # TODO(tazjin): Assuming this is what we'll be doing ... - groupMemberPattern = "(&(objectClass=group)(member=\${dn}))"; + # Configures integration with CAS, which then integrates with a variety + # of backends. + auth.type = "OAUTH"; + plugin.gerrit-oauth-provider-cas-oauth = { + root-url = "https://login.tvl.fyi"; + client-id = "OAUTH-TVL-gerrit-Fv0d8Aizz5"; + # client-secret is set in /var/lib/gerrit/etc/secure.config. }; + # Use Gerrit's built-in HTTP passwords, rather than trying to use the + # password against the backing OAuth provider. + auth.gitBasicAuthPolicy = "HTTP"; + # Email sending (emails are relayed via the tazj.in domain's # GSuite currently). # |