From 78757536598087ef73ef16297882cf38e30aa0fc Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Thu, 11 Jun 2020 21:47:41 +0000 Subject: fix(monorepo-gerrit): Disable 'DynamicUser' feature for Gerrit This change makes Gerrit run as the 'git' user, which can be shared by other services such as hound or cgit to access the git trees. Change-Id: Ic6c91f3e852184f5ef21f4374738cbf687462194 Reviewed-on: https://cl.tvl.fyi/c/depot/+/21 Reviewed-by: lukegb Reviewed-by: isomer --- ops/nixos/modules/monorepo-gerrit.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ops/nixos/modules/monorepo-gerrit.nix b/ops/nixos/modules/monorepo-gerrit.nix index c0a06caee92c..f09258a498eb 100644 --- a/ops/nixos/modules/monorepo-gerrit.nix +++ b/ops/nixos/modules/monorepo-gerrit.nix @@ -33,4 +33,17 @@ in { }; }; }; + + systemd.services.gerrit = { + serviceConfig = { + # There seems to be no easy way to get `DynamicUser` to play + # well with other services (e.g. by using SupplementaryGroups, + # which seem to have no effect) so we force the DynamicUser + # setting for the Gerrit service to be disabled and reuse the + # existing 'git' user. + DynamicUser = lib.mkForce false; + User = "git"; + Group = "git"; + }; + }; } -- cgit 1.4.1