]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/gitolite.nix
nix: format all .nix files
[sourcephile-nix.git] / hosts / mermet / gitolite.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) gitolite;
5 inherit (config.users) users groups;
6 gitolite-admin = "julm";
7 in
8 {
9 # Make confortable to call gitolite from a shell
10 # (but mind to prefix it by sudo -u git)
11 environment.systemPackages = [ pkgs.gitolite ];
12
13 services.gitolite = {
14 enable = true;
15 user = "git";
16 group = users."git-daemon".name;
17 adminPubkey = lib.readFile ../../users/julm/ssh/gnupg.pub;
18 extraGitoliteRc = ''
19 $RC{UMASK} = 0027; # NOTE: no quote around in Perl, so it's octal
20 $RC{LOG_DEST} = 'repo-log,syslog';
21 $RC{LOG_FACILITY} = 'local0';
22 #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
23 $RC{GIT_CONFIG_KEYS} = '.*';
24 #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
25 # if -d "$rc{GL_ADMIN_BASE}/local";
26 $RC{LOCAL_CODE} = "$ENV{HOME}/local";
27 push(@{$RC{ENABLE}}, ( 'Alias'
28 , 'cgit'
29 # NOTE: without this "cgit" option,
30 # the repositories' "description" files are not modified
31 , 'D'
32 , 'Shell ${gitolite-admin}'
33 , 'create'
34 , 'expand-deny-messages'
35 , 'fork'
36 , 'keysubdirs-as-groups'
37 , 'readme'
38 , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
39 , 'ssh-authkeys-split'
40 ));
41 '';
42 };
43 systemd.services.gitolite-init = {
44 preStart = ''
45 # Allow git-daemon to enter ~git
46 chmod g+x "${gitolite.dataDir}"
47 install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
48 ${gitolite.dataDir}/local \
49 ${gitolite.dataDir}/local/hooks \
50 ${gitolite.dataDir}/local/hooks/common \
51 ${gitolite.dataDir}/local/hooks/repo-specific
52 '';
53 };
54 networking.nftables.ruleset = ''
55 table inet filter {
56 chain input-net {
57 tcp dport git counter accept comment "git-daemon: Git"
58 }
59 }
60 '';
61 systemd.services.git-daemon = {
62 # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root.
63 after = [ "network.target" ];
64 wantedBy = [ "multi-user.target" ];
65 serviceConfig = {
66 User = users."git-daemon".name;
67 Group = groups."git-daemon".name;
68 Restart = "always";
69 RestartSec = 5;
70 };
71 script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr"
72 + " --base-path=${gitolite.dataDir}/repositories"
73 #+ (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
74 #+ "--port=${toString cfg.port} "
75 ;
76 };
77 users.users."git-daemon" = {
78 uid = config.ids.uids.git;
79 description = "Git daemon user";
80 group = groups."git-daemon".name;
81 };
82 fileSystems."/var/lib/gitolite" = {
83 device = "rpool/var/git";
84 fsType = "zfs";
85 };
86 services.sanoid.datasets."rpool/var/git" = {
87 use_template = [ "snap" ];
88 daily = 7;
89 };
90 }