hosts/mermet/gitolite.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.services) gitolite;
   5   inherit (config.users) users groups;
   6   gitolite-admin = "julm";
   7 in
   8 {
   9   # Make confortable to call gitolite from a shell
  10   # (but mind to prefix it by sudo -u git)
  11   environment.systemPackages = [ pkgs.gitolite ];
  12
  13   services.gitolite = {
  14     enable = true;
  15     user = "git";
  16     group = users."git-daemon".name;
  17     adminPubkey = lib.readFile ../../users/julm/ssh/gnupg.pub;
  18     extraGitoliteRc = ''
  19       $RC{UMASK}           = 0027; # NOTE: no quote around in Perl, so it's octal
  20       $RC{LOG_DEST}        = 'repo-log,syslog';
  21       $RC{LOG_FACILITY}    = 'local0';
  22       #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
  23       $RC{GIT_CONFIG_KEYS} = '.*';
  24       #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
  25       #  if -d "$rc{GL_ADMIN_BASE}/local";
  26       $RC{LOCAL_CODE} = "$ENV{HOME}/local";
  27       push(@{$RC{ENABLE}}, ( 'Alias'
  28                            , 'cgit'
  29                              # NOTE: without this "cgit" option,
  30                              # the repositories' "description" files are not modified
  31                            , 'D'
  32                            , 'Shell ${gitolite-admin}'
  33                            , 'create'
  34                            , 'expand-deny-messages'
  35                            , 'fork'
  36                            , 'keysubdirs-as-groups'
  37                            , 'readme'
  38                            , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
  39                            , 'ssh-authkeys-split'
  40                            ));
  41     '';
  42   };
  43   systemd.services.gitolite-init = {
  44     preStart = ''
  45       # Allow git-daemon to enter ~git
  46       chmod g+x "${gitolite.dataDir}"
  47       install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
  48        ${gitolite.dataDir}/local \
  49        ${gitolite.dataDir}/local/hooks \
  50        ${gitolite.dataDir}/local/hooks/common \
  51        ${gitolite.dataDir}/local/hooks/repo-specific
  52     '';
  53   };
  54   networking.nftables.ruleset = ''
  55     table inet filter {
  56       chain input-net {
  57         tcp dport git counter accept comment "git-daemon: Git"
  58       }
  59     }
  60   '';
  61   systemd.services.git-daemon = {
  62     # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root.
  63     after = [ "network.target" ];
  64     wantedBy = [ "multi-user.target" ];
  65     serviceConfig = {
  66       User = users."git-daemon".name;
  67       Group = groups."git-daemon".name;
  68       Restart = "always";
  69       RestartSec = 5;
  70     };
  71     script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr"
  72       + " --base-path=${gitolite.dataDir}/repositories"
  73       #+ (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
  74       #+ "--port=${toString cfg.port} "
  75     ;
  76   };
  77   users.users."git-daemon" = {
  78     uid = config.ids.uids.git;
  79     description = "Git daemon user";
  80     group = groups."git-daemon".name;
  81   };
  82   fileSystems."/var/lib/gitolite" = {
  83     device = "rpool/var/git";
  84     fsType = "zfs";
  85   };
  86   services.sanoid.datasets."rpool/var/git" = {
  87     use_template = [ "snap" ];
  88     daily = 7;
  89   };
  90 }