From 405b7ec95b8dd0c06caa0e4030760821aff370bc Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sun, 12 Jul 2020 14:02:50 +0100 Subject: feat(whitby): Enable Gerrit & cgit deployments Change-Id: Ic701552e130252cfff005938d9c4e98423a7a96a Reviewed-on: https://cl.tvl.fyi/c/depot/+/1069 Reviewed-by: lukegb Tested-by: BuildkiteCI --- ops/nixos/whitby/default.nix | 18 +++++++++++++++++- ops/nixos/www/cl.tvl.fyi.nix | 23 +++++++++++++++++++++++ ops/nixos/www/code.tvl.fyi.nix | 27 +++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 ops/nixos/www/cl.tvl.fyi.nix create mode 100644 ops/nixos/www/code.tvl.fyi.nix (limited to 'ops/nixos') diff --git a/ops/nixos/whitby/default.nix b/ops/nixos/whitby/default.nix index 7c10719450a8..0c348e0f1165 100644 --- a/ops/nixos/whitby/default.nix +++ b/ops/nixos/whitby/default.nix @@ -17,13 +17,17 @@ in { imports = [ "${depot.depotPath}/ops/nixos/clbot.nix" "${depot.depotPath}/ops/nixos/depot.nix" + "${depot.depotPath}/ops/nixos/monorepo-gerrit.nix" "${depot.depotPath}/ops/nixos/smtprelay.nix" "${depot.depotPath}/ops/nixos/sourcegraph.nix" "${depot.depotPath}/ops/nixos/tvl-slapd/default.nix" "${depot.depotPath}/ops/nixos/tvl-sso/default.nix" + "${depot.depotPath}/ops/nixos/www/cl.tvl.fyi.nix" + "${depot.depotPath}/ops/nixos/www/code.tvl.fyi.nix" "${depot.depotPath}/ops/nixos/www/cs.tvl.fyi.nix" "${depot.depotPath}/ops/nixos/www/login.tvl.fyi.nix" "${depot.depotPath}/ops/nixos/www/tvl.fyi.nix" + "${depot.third_party.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix" ]; hardware = { @@ -110,7 +114,7 @@ in { interface = "enp196s0"; }; - firewall.allowedTCPPorts = [ 22 80 443 4238 ]; + firewall.allowedTCPPorts = [ 22 80 443 4238 29418 ]; interfaces.enp196s0.useDHCP = true; interfaces.enp196s0.ipv6.addresses = [ @@ -204,6 +208,18 @@ in { zfstools ]; + # Run cgit for the depot. The onion here is nginx(thttpd(cgit)). + systemd.services.cgit = { + wantedBy = [ "multi-user.target" ]; + script = "${depot.web.cgit-taz}/bin/cgit-launch"; + + serviceConfig = { + Restart = "on-failure"; + User = "git"; + Group = "git"; + }; + }; + security.sudo.extraRules = [ { groups = ["wheel"]; diff --git a/ops/nixos/www/cl.tvl.fyi.nix b/ops/nixos/www/cl.tvl.fyi.nix new file mode 100644 index 000000000000..9383f38403da --- /dev/null +++ b/ops/nixos/www/cl.tvl.fyi.nix @@ -0,0 +1,23 @@ +{ config, ... }: + +{ + imports = [ + ./base.nix + ]; + + config = { + services.nginx.virtualHosts.gerrit = { + serverName = "cl.tvl.fyi"; + enableACME = true; + forceSSL = true; + + extraConfig = '' + location / { + proxy_pass http://localhost:4778; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + } + ''; + }; + }; +} diff --git a/ops/nixos/www/code.tvl.fyi.nix b/ops/nixos/www/code.tvl.fyi.nix new file mode 100644 index 000000000000..5ee33f39ca92 --- /dev/null +++ b/ops/nixos/www/code.tvl.fyi.nix @@ -0,0 +1,27 @@ +{ config, ... }: + +{ + imports = [ + ./base.nix + ]; + + config = { + services.nginx.virtualHosts.cgit = { + serverName = "code.tvl.fyi"; + enableACME = true; + forceSSL = true; + + extraConfig = '' + # Static assets must always hit the root. + location ~ ^/(favicon\.ico|cgit\.(css|png))$ { + proxy_pass http://localhost:2448; + } + + # Everything else hits the depot directly. + location / { + proxy_pass http://localhost:2448/cgit.cgi/depot/; + } + ''; + }; + }; +} -- cgit 1.4.1