]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/gitolite.nix
mermet: knot: sourcephile.fr: fix secondary
[sourcephile-nix.git] / hosts / mermet / gitolite.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) gitolite;
5 inherit (config.users) users groups;
6 gitolite-admin = "julm";
7 in
8 {
9 # Make confortable to call gitolite from a shell
10 # (but mind to prefix it by sudo -u git)
11 environment.systemPackages = [ pkgs.gitolite ];
12
13 services.gitolite = {
14 enable = true;
15 user = "git";
16 group = users."git-daemon".name;
17 adminPubkey = lib.readFile ../../users/julm/ssh/gnupg.pub;
18 extraGitoliteRc = ''
19 $RC{UMASK} = 0027; # NOTE: no quote around in Perl, so it's octal
20 $RC{LOG_DEST} = 'repo-log,syslog';
21 $RC{LOG_FACILITY} = 'local0';
22 #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
23 $RC{GIT_CONFIG_KEYS} = '.*';
24 #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
25 # if -d "$rc{GL_ADMIN_BASE}/local";
26 $RC{LOCAL_CODE} = "$ENV{HOME}/local";
27 push(@{$RC{ENABLE}}, ( 'Alias'
28 , 'cgit'
29 # NOTE: without this "cgit" option,
30 # the repositories' "description" files are not modified
31 , 'D'
32 , 'Shell ${gitolite-admin}'
33 , 'create'
34 , 'expand-deny-messages'
35 , 'fork'
36 , 'keysubdirs-as-groups'
37 , 'readme'
38 , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
39 , 'ssh-authkeys-split'
40 ));
41 '';
42 };
43 systemd.services.gitolite-init = {
44 preStart = ''
45 # Allow git-daemon to enter ~git
46 chmod g+x "${gitolite.dataDir}"
47 install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
48 ${gitolite.dataDir}/local \
49 ${gitolite.dataDir}/local/hooks \
50 ${gitolite.dataDir}/local/hooks/common \
51 ${gitolite.dataDir}/local/hooks/repo-specific
52 '';
53 };
54 networking.nftables.ruleset = ''
55 table inet filter {
56 chain input-net {
57 tcp dport git counter accept comment "git-daemon: Git"
58 }
59 }
60 '';
61 systemd.services.git-daemon = {
62 # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root.
63 after = [ "network.target" ];
64 wantedBy = [ "multi-user.target" ];
65 serviceConfig = {
66 User = users."git-daemon".name;
67 Group = groups."git-daemon".name;
68 Restart = "always";
69 RestartSec = 5;
70 };
71 script = lib.escapeShellArgs [
72 "${pkgs.git}/bin/git"
73 "-c"
74 "safe.directory=*"
75 "daemon"
76 "--verbose"
77 "--reuseaddr"
78 "--base-path=${gitolite.dataDir}/repositories"
79 #(optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress}")
80 #"--port=${toString cfg.port}"
81 ];
82 };
83 users.users."git-daemon" = {
84 uid = config.ids.uids.git;
85 description = "Git daemon user";
86 group = groups."git-daemon".name;
87 };
88 fileSystems."/var/lib/gitolite" = {
89 device = "rpool/var/git";
90 fsType = "zfs";
91 };
92 services.sanoid.datasets."rpool/var/git" = {
93 use_template = [ "snap" ];
94 daily = 7;
95 };
96 }