{pkgs, lib, config, system, ...}: let inherit (builtins.extraBuiltins) pass; inherit (lib) types; inherit (config.services) gitolite; inherit (config.users) users groups; userPass = name: pass ("${config.networking.domain}/${config.networking.hostName}/"+name); gitolite-admin = "julm"; in { config = { environment.systemPackages = [ pkgs.gitolite ]; # NOTE: make confortable to call gitolite from a shell # (but mind the sudo -u git). services = { gitolite = { enable = true; user = "git"; group = users."git-daemon".name; adminPubkey = pass "${config.networking.domain}/ssh/${gitolite-admin}"; extraGitoliteRc = '' $RC{UMASK} = 0027; # NOTE: no quote around in Perl, so it's octal $RC{LOG_DEST} = 'repo-log,syslog'; $RC{LOG_FACILITY} = 'local0'; $RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*'; $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local" if -d "$rc{GL_ADMIN_BASE}/local"; push(@{$RC{ENABLE}}, ( 'Alias' #, 'cgit' , 'D' , 'Shell ${gitolite-admin}' , 'create' , 'expand-deny-messages' , 'fork' , 'keysubdirs-as-groups' , 'readme' , (-d "$rc{GL_ADMIN_BASE}/local" ? 'repo-specific-hooks' : ()) , 'ssh-authkeys-split' )); ''; }; }; systemd.services.gitolite-init = { preStart = '' chmod g+x "${gitolite.dataDir}" # NOTE: allow git-daemon to enter ~git ''; }; systemd.services.git-daemon = { # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root. after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { User = users."git-daemon".name; Group = groups."git-daemon".name; Restart = "always"; RestartSec = 5; }; script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr" + " --base-path=${gitolite.dataDir}/repositories" #+ (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ") #+ "--port=${toString cfg.port} " ; }; users.users = lib.singleton { name = "git-daemon"; uid = config.ids.uids.git; description = "Git daemon user"; }; }; }