doc: install/logical/machines.list

[sourcephile-nix.git] / install / logical / friot / redmine.nix

{pkgs, lib, config, ...}:
let inherit (builtins.extraBuiltins) pass;
    inherit (config) networking;
    inherit (config.services) redmine postgresql gitolite;
    redmine_git_hosting_settings = pkgs.writeText "settings.yml" ''
      ---
      # Gitolite SSH Config
      gitolite_user:                  '${gitolite.user}'
      gitolite_server_host:           'localhost'
      gitolite_server_port:           '22'
      #gitolite_ssh_private_key:       <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa') %>
      #gitolite_ssh_public_key:        <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa.pub') %>
      gitolite_ssh_private_key:       '${redmine.stateDir}/.ssh/id_ed25519'
      gitolite_ssh_public_key:        '${redmine.stateDir}/.ssh/id_ed25519.pub'

      # Gitolite Storage Config
      gitolite_global_storage_dir:    'repositories/'
      gitolite_redmine_storage_dir:   ""
      gitolite_recycle_bin_dir:       'recycle_bin/'
      gitolite_lib_dir:               '${pkgs.gitolite}/bin/lib'
      gitolite_local_code_dir:        'local/'

      # Gitolite Config File
      gitolite_config_file:              'gitolite.conf'
      gitolite_identifier_prefix:        'redmine_'
      gitolite_identifier_strip_user_id: 'false'

      # Gitolite Global Config
      gitolite_temp_dir:                     <%= Rails.root.join('tmp', 'redmine_git_hosting') %>
      gitolite_recycle_bin_expiration_time:  '24.0'
      gitolite_log_level:                    'info'
      git_config_username:                   'Redmine Git Hosting'
      git_config_email:                      'redmine@${networking.domain}'

      # Gitolite Hooks Config
      gitolite_overwrite_existing_hooks: 'true'
      gitolite_hooks_are_asynchronous:   'false'
      gitolite_hooks_debug:              'false'
      gitolite_hooks_url:                'http://localhost:3000'

      # Gitolite Cache Config
      gitolite_cache_max_time:          '86400'
      gitolite_cache_max_size:          '16'
      gitolite_cache_max_elements:      '2000'
      gitolite_cache_adapter:           'database'

      # Gitolite Access Config
      ssh_server_domain:                'localhost'
      http_server_domain:               'localhost'
      https_server_domain:              'localhost'
      http_server_subdir:               ""
      show_repositories_url:            'true'
      gitolite_daemon_by_default:       'false'
      gitolite_http_by_default:         '1'

      # Redmine Config
      redmine_has_rw_access_on_all_repos: 'true'
      all_projects_use_git:               'false'
      init_repositories_on_create:        'false'
      delete_git_repositories:            'true'

      # This params work together!
      # When hierarchical_organisation = true unique_repo_identifier MUST be false
      # When hierarchical_organisation = false unique_repo_identifier MUST be true
      hierarchical_organisation:        'true'
      unique_repo_identifier:           'false'

      # Download Revision Config
      download_revision_enabled:        'true'

      # Git Mailing List Config
      gitolite_notify_by_default:            'false'
      gitolite_notify_global_prefix:         '[REDMINE]'
      gitolite_notify_global_sender_address: 'redmine@${networking.domain}'
      gitolite_notify_global_include:        []
      gitolite_notify_global_exclude:        []

      # Sidekiq Config
      gitolite_use_sidekiq:                  'false'
    '';
in
{
  config = {
    services = {
      redmine = {
        enable = true;
        package = with pkgs.redmine.plugins; pkgs.redmineWithPlugins [
          #redmine_git_hosting
          #clipboard_image_paste
          #redmine_revision_branches
        ];
        database = {
          type = "postgresql";
          host = "/tmp";
          port = postgresql.port;
        };
        config = {
          "configuration.yml" = lib.mkForce ''
            default:
              scm_git_command: ${pkgs.git}/bin/git
          '';
        };
      };
      postgresql = {
        users."${redmine.user}" = {
          auth = "unix";
        };
        databases."${redmine.database.name}" = {
          owner = redmine.user;
          users = [ redmine.user ];
          extraConfig = ''
            GRANT USAGE  ON SCHEMA pg_catalog TO ${redmine.user};
            GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO ${redmine.user};
          '';
        };
      };
      nginx = {
        upstreams."redmine" = {
          servers = { "localhost:3000" = {}; };
        };
        virtualHosts."redmine" = {
          serverName = "redmine.${networking.domain}";
          serverAliases =
            map (domainAlias: "redmine." + domainAlias)
                config.networking.domainAliases;
          locations = {
            "/" = {
              extraConfig = ''
                proxy_next_upstream error timeout
                 invalid_header http_500 http_502 http_503;
                proxy_pass http://localhost:3000;
              '';
            };
          };
        };
      };
    };
    systemd.services.redmine = {
      path = lib.mkForce [
        pkgs.gitAndTools.git
        pkgs.imagemagickBig
        pkgs.coreutils
        pkgs.findutils
        pkgs.gnused
        /*
        pkgs.gitolite
        pkgs.coreutils
        pkgs.openssh
        (config.security.wrapperDir + "/..")
        */
      ];
      #environment.REDMINE_LANG = lib.mkForce "fr";
      /*
      path = [
        pkgs.gitolite
        pkgs.coreutils
        pkgs.openssh
        (config.security.wrapperDir + "/..")
      ];
      after = [ "keys.target" ];
      preStart = ''
        # comply with openssh's strict mode
        install -D -d -o ${redmine.user} -g ${redmine.group} -m 0700 \
         ${redmine.stateDir}/.ssh
        install -o ${redmine.user} -g ${redmine.group} -m 0400 \
         /run/keys/redmine_git_hosting_id_ed25519 \
         ${redmine.stateDir}/.ssh/id_ed25519
        install -o ${redmine.user} -g ${redmine.group} -m 0400 \
         ${pkgs.writeText "redmine_git_hosting_id_ed25519.pub"
          (builtins.readFile ../../../sec/var/ssh/redmine_git_hosting/id_ed25519.pub)} \
         ${redmine.stateDir}/.ssh/id_ed25519.pub
        install -o ${redmine.user} -g ${redmine.group} -m 0400 \
         ${pkgs.writeText "config" ''
          Host localhost
            PasswordAuthentication no
            PreferredAuthentications publickey
            StrictHostKeyChecking no
            UserKnownHostsFile /dev/null
         ''} \
         ${redmine.stateDir}/.ssh/config

        # push settings.yml
        ln -fns ${redmine_git_hosting_settings} \
         ${redmine.stateDir}/redmine_git_hosting.yml
        ${redmine.stateDir}/bundle exec rake redmine_git_hosting:update_settings
         install hooks and parameters
        ${redmine.stateDir}/bundle exec rake redmine_git_hosting:install_gitolite_hooks
      '';
      */
    };
    users.users."${redmine.user}" = {
      extraGroups = [
        gitolite.group
      ];
    };
    deployment.keys.redmine_git_hosting_id_ed25519 = {
      text    = pass "${networking.domain}/${networking.hostName}/redmine_git_hosting/ssh" + "\n";
      #destDir = "${redmine.stateDir}/.ssh";
      #path    = "${redmine.stateDir}/.ssh/id_ed25519";
      user    = redmine.user;
      group   = redmine.group;
      permissions = "0400"; # XXX: not enforced when deployment.storeKeysOnMachine = true
    };
    security.sudo.extraRules = [
      { users    = [ redmine.user ];
        groups   = [ redmine.group ];
        runAs    = gitolite.user;
        commands = [ { command = "ALL"; options = [ "SETENV" "NOPASSWD" ]; } ];
      }
    ];
  };
}