servers/mermet/gitolite.nix

   1 { pkgs, lib, config, ... }:
   2 let inherit (builtins.extraBuiltins) pass;
   3     inherit (lib) types;
   4     inherit (config) networking;
   5     inherit (config.services) gitolite;
   6     inherit (config.users) users groups;
   7     gitolite-admin = "julm";
   8 in
   9 {
  10   # Make confortable to call gitolite from a shell
  11   # (but mind to prefix it by sudo -u git)
  12   environment.systemPackages = [ pkgs.gitolite ];
  13
  14   services = {
  15     gitolite = {
  16       enable = true;
  17       user   = "git";
  18       group  = users."git-daemon".name;
  19       adminPubkey = pass "members/${gitolite-admin}/ssh.pub";
  20       extraGitoliteRc = ''
  21         $RC{UMASK}           = 0027; # NOTE: no quote around in Perl, so it's octal
  22         $RC{LOG_DEST}        = 'repo-log,syslog';
  23         $RC{LOG_FACILITY}    = 'local0';
  24         #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
  25         $RC{GIT_CONFIG_KEYS} = '.*';
  26         #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
  27         #  if -d "$rc{GL_ADMIN_BASE}/local";
  28         $RC{LOCAL_CODE} = "$ENV{HOME}/local";
  29         push(@{$RC{ENABLE}}, ( 'Alias'
  30                              , 'cgit'
  31                                # NOTE: without this "cgit" option,
  32                                # the repositories' "description" files are not modified
  33                              , 'D'
  34                              , 'Shell ${gitolite-admin}'
  35                              , 'create'
  36                              , 'expand-deny-messages'
  37                              , 'fork'
  38                              , 'keysubdirs-as-groups'
  39                              , 'readme'
  40                              , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
  41                              , 'ssh-authkeys-split'
  42                              ));
  43       '';
  44     };
  45   };
  46   systemd.services.gitolite-init = {
  47     preStart = ''
  48       # Allow git-daemon to enter ~git
  49       chmod g+x "${gitolite.dataDir}"
  50       install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
  51        ${gitolite.dataDir}/local \
  52        ${gitolite.dataDir}/local/hooks \
  53        ${gitolite.dataDir}/local/hooks/common \
  54        ${gitolite.dataDir}/local/hooks/repo-specific
  55     '';
  56   };
  57   systemd.services.git-daemon = {
  58     # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root.
  59     after = [ "network.target" ];
  60     wantedBy = [ "multi-user.target" ];
  61     serviceConfig = {
  62       User       = users."git-daemon".name;
  63       Group      = groups."git-daemon".name;
  64       Restart    = "always";
  65       RestartSec = 5;
  66     };
  67     script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr"
  68       + " --base-path=${gitolite.dataDir}/repositories"
  69       #+ (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
  70       #+ "--port=${toString cfg.port} "
  71       ;
  72   };
  73   users.users = lib.singleton
  74     { name = "git-daemon";
  75       uid = config.ids.uids.git;
  76       description = "Git daemon user";
  77     };
  78 }