hosts/mermet/gitolite.nix

   1 { inputs, pkgs, lib, config, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config) networking;
   5   inherit (config.services) gitolite;
   6   inherit (config.users) users groups;
   7   gitolite-admin = "julm";
   8 in
   9 {
  10 # Make confortable to call gitolite from a shell
  11 # (but mind to prefix it by sudo -u git)
  12 environment.systemPackages = [ pkgs.gitolite ];
  13
  14 services.gitolite = {
  15   enable = true;
  16   user   = "git";
  17   group  = users."git-daemon".name;
  18   adminPubkey = builtins.readFile (inputs.secrets + "/members/ssh/julm.pub");
  19   extraGitoliteRc = ''
  20     $RC{UMASK}           = 0027; # NOTE: no quote around in Perl, so it's octal
  21     $RC{LOG_DEST}        = 'repo-log,syslog';
  22     $RC{LOG_FACILITY}    = 'local0';
  23     #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
  24     $RC{GIT_CONFIG_KEYS} = '.*';
  25     #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
  26     #  if -d "$rc{GL_ADMIN_BASE}/local";
  27     $RC{LOCAL_CODE} = "$ENV{HOME}/local";
  28     push(@{$RC{ENABLE}}, ( 'Alias'
  29                          , 'cgit'
  30                            # NOTE: without this "cgit" option,
  31                            # the repositories' "description" files are not modified
  32                          , 'D'
  33                          , 'Shell ${gitolite-admin}'
  34                          , 'create'
  35                          , 'expand-deny-messages'
  36                          , 'fork'
  37                          , 'keysubdirs-as-groups'
  38                          , 'readme'
  39                          , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
  40                          , 'ssh-authkeys-split'
  41                          ));
  42   '';
  43 };
  44 systemd.services.gitolite-init = {
  45   preStart = ''
  46     # Allow git-daemon to enter ~git
  47     chmod g+x "${gitolite.dataDir}"
  48     install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
  49      ${gitolite.dataDir}/local \
  50      ${gitolite.dataDir}/local/hooks \
  51      ${gitolite.dataDir}/local/hooks/common \
  52      ${gitolite.dataDir}/local/hooks/repo-specific
  53   '';
  54 };
  55 networking.nftables.ruleset = ''
  56   table inet filter {
  57     chain input-net {
  58       tcp dport git counter accept comment "git-daemon: Git"
  59     }
  60   }
  61 '';
  62 systemd.services.git-daemon = {
  63   # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root.
  64   after = [ "network.target" ];
  65   wantedBy = [ "multi-user.target" ];
  66   serviceConfig = {
  67     User = users."git-daemon".name;
  68     Group = groups."git-daemon".name;
  69     Restart = "always";
  70     RestartSec = 5;
  71   };
  72   script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr"
  73     + " --base-path=${gitolite.dataDir}/repositories"
  74     #+ (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
  75     #+ "--port=${toString cfg.port} "
  76     ;
  77 };
  78 users.users."git-daemon" = {
  79   uid = config.ids.uids.git;
  80   description = "Git daemon user";
  81   group = groups."git-daemon".name;
  82 };
  83 fileSystems."/var/lib/gitolite" = {
  84   device = "rpool/var/git";
  85   fsType = "zfs";
  86 };
  87 services.sanoid.datasets."rpool/var/git" = {
  88   use_template = [ "snap" ];
  89   daily = 7;
  90 };
  91 }