blob: d25e51767ef4314d014f8c9a283f0debe4d25445 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
# Gerrit configuration for the TVL monorepo
{ pkgs, config, lib, ... }:
let
cfg = config.services.gerrit;
gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" {} ''
mkdir -p $out
ln -s ${config.depot.ops.besadii}/bin/besadii $out/ref-updated
'';
in {
services.gerrit = {
enable = true;
listenAddress = "[::]:4778"; # 4778 - grrt
serverId = "4fdfa107-4df9-4596-8e0a-1d2bbdd96e36";
builtinPlugins = [
"download-commands"
"hooks"
];
plugins = with config.depot.third_party.gerrit_plugins; [
owners
];
package = config.depot.third_party.gerrit;
jvmHeapLimit = "4g";
settings = {
core.packedGitLimit = "100m";
log.jsonLogging = true;
log.textLogging = false;
sshd.advertisedAddress = "code.tvl.fyi:29418";
hooks.path = "${gerritHooks}";
cache.web_sessions.maxAge = "3 months";
# Configures gerrit for being reverse-proxied by nginx as per
# https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html
gerrit = {
canonicalWebUrl = "https://cl.tvl.fyi";
docUrl = "/Documentation";
# This needs to be kept in lockstep with the Polygerrit UI
# version we use.
cdnPath = "https://cdn.googlesource.com/polygerrit_ui/768.0";
};
httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
download.command = [
"checkout"
"cherry_pick"
"format_patch"
"pull"
];
# Configure for Sourcegraph.
gitweb = {
type = "custom";
url = "https://cs.tvl.fyi";
linkname = "Sourcegraph";
project = "/depot";
revision = "/depot/-/commit/\${commit}";
branch = "/depot@\${branch}";
tag = "/depot@\${tag}";
roottree = "/depot@\${commit}";
file = "/depot@\${commit}/-/blob/\${file}";
filehistory = "/depot@\${commit}/-/blob/\${file}#&tab=history";
};
# Configures integration with the locally running OpenLDAP
auth.type = "LDAP";
ldap = {
server = "ldap://localhost";
accountBase = "ou=users,dc=tvl,dc=fyi";
accountPattern = "(&(objectClass=organizationalPerson)(cn=\${username}))";
accountFullName = "displayName";
accountEmailAddress = "mail";
accountSshUserName = "cn";
groupBase = "ou=groups,dc=tvl,dc=fyi";
# TODO(tazjin): Assuming this is what we'll be doing ...
groupMemberPattern = "(&(objectClass=group)(member=\${dn}))";
};
# Email sending (emails are relayed via the tazj.in domain's
# GSuite currently).
#
# Note that sendemail.smtpPass is stored in
# $site_path/etc/secure.config and is *not* controlled by Nix.
#
# Receiving email is not currently supported.
sendemail = {
enable = true;
html = false;
connectTimeout = "10sec";
from = "TVL Code Review <tvlbot@tazj.in>";
includeDiff = true;
smtpEncryption = "none";
smtpServer = "localhost";
smtpServerPort = 2525;
};
};
};
systemd.services.gerrit = {
serviceConfig = {
# There seems to be no easy way to get `DynamicUser` to play
# well with other services (e.g. by using SupplementaryGroups,
# which seem to have no effect) so we force the DynamicUser
# setting for the Gerrit service to be disabled and reuse the
# existing 'git' user.
DynamicUser = lib.mkForce false;
User = "git";
Group = "git";
};
};
}
|
