{pkgs, lib, config, ...}: let inherit (builtins.extraBuiltins) pass; inherit (config) networking; inherit (config.services) redmine postgresql gitolite; redmine_git_hosting_settings = pkgs.writeText "settings.yml" '' --- # Gitolite SSH Config gitolite_user: '${gitolite.user}' gitolite_server_host: 'localhost' gitolite_server_port: '22' #gitolite_ssh_private_key: <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa') %> #gitolite_ssh_public_key: <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa.pub') %> gitolite_ssh_private_key: '${redmine.stateDir}/.ssh/id_ed25519' gitolite_ssh_public_key: '${redmine.stateDir}/.ssh/id_ed25519.pub' # Gitolite Storage Config gitolite_global_storage_dir: 'repositories/' gitolite_redmine_storage_dir: "" gitolite_recycle_bin_dir: 'recycle_bin/' gitolite_lib_dir: '${pkgs.gitolite}/bin/lib' gitolite_local_code_dir: 'local/' # Gitolite Config File gitolite_config_file: 'gitolite.conf' gitolite_identifier_prefix: 'redmine_' gitolite_identifier_strip_user_id: 'false' # Gitolite Global Config gitolite_temp_dir: <%= Rails.root.join('tmp', 'redmine_git_hosting') %> gitolite_recycle_bin_expiration_time: '24.0' gitolite_log_level: 'info' git_config_username: 'Redmine Git Hosting' git_config_email: 'redmine@${networking.domain}' # Gitolite Hooks Config gitolite_overwrite_existing_hooks: 'true' gitolite_hooks_are_asynchronous: 'false' gitolite_hooks_debug: 'false' gitolite_hooks_url: 'http://localhost:3000' # Gitolite Cache Config gitolite_cache_max_time: '86400' gitolite_cache_max_size: '16' gitolite_cache_max_elements: '2000' gitolite_cache_adapter: 'database' # Gitolite Access Config ssh_server_domain: 'localhost' http_server_domain: 'localhost' https_server_domain: 'localhost' http_server_subdir: "" show_repositories_url: 'true' gitolite_daemon_by_default: 'false' gitolite_http_by_default: '1' # Redmine Config redmine_has_rw_access_on_all_repos: 'true' all_projects_use_git: 'false' init_repositories_on_create: 'false' delete_git_repositories: 'true' # This params work together! # When hierarchical_organisation = true unique_repo_identifier MUST be false # When hierarchical_organisation = false unique_repo_identifier MUST be true hierarchical_organisation: 'true' unique_repo_identifier: 'false' # Download Revision Config download_revision_enabled: 'true' # Git Mailing List Config gitolite_notify_by_default: 'false' gitolite_notify_global_prefix: '[REDMINE]' gitolite_notify_global_sender_address: 'redmine@${networking.domain}' gitolite_notify_global_include: [] gitolite_notify_global_exclude: [] # Sidekiq Config gitolite_use_sidekiq: 'false' ''; in { config = { services = { redmine = { enable = true; package = with pkgs.redmine.plugins; pkgs.redmineWithPlugins [ #redmine_git_hosting #clipboard_image_paste #redmine_revision_branches ]; database = { type = "postgresql"; host = "/tmp"; port = postgresql.port; }; config = { "configuration.yml" = lib.mkForce '' default: scm_git_command: ${pkgs.git}/bin/git ''; }; }; postgresql = { users."${redmine.user}" = { auth = "unix"; }; databases."${redmine.database.name}" = { owner = redmine.user; users = [ redmine.user ]; extraConfig = '' GRANT USAGE ON SCHEMA pg_catalog TO ${redmine.user}; GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO ${redmine.user}; ''; }; }; nginx = { upstreams."redmine" = { servers = { "localhost:3000" = {}; }; }; virtualHosts."redmine" = { serverName = "redmine.${networking.domain}"; serverAliases = map (domainAlias: "redmine." + domainAlias) config.networking.domainAliases; locations = { "/" = { extraConfig = '' proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_pass http://localhost:3000; ''; }; }; }; }; }; systemd.services.redmine = { path = lib.mkForce [ pkgs.gitAndTools.git pkgs.imagemagickBig pkgs.coreutils pkgs.findutils pkgs.gnused /* pkgs.gitolite pkgs.coreutils pkgs.openssh (config.security.wrapperDir + "/..") */ ]; #environment.REDMINE_LANG = lib.mkForce "fr"; /* path = [ pkgs.gitolite pkgs.coreutils pkgs.openssh (config.security.wrapperDir + "/..") ]; after = [ "keys.target" ]; preStart = '' # comply with openssh's strict mode install -D -d -o ${redmine.user} -g ${redmine.group} -m 0700 \ ${redmine.stateDir}/.ssh install -o ${redmine.user} -g ${redmine.group} -m 0400 \ /run/keys/redmine_git_hosting_id_ed25519 \ ${redmine.stateDir}/.ssh/id_ed25519 install -o ${redmine.user} -g ${redmine.group} -m 0400 \ ${pkgs.writeText "redmine_git_hosting_id_ed25519.pub" (builtins.readFile ../../../sec/var/ssh/redmine_git_hosting/id_ed25519.pub)} \ ${redmine.stateDir}/.ssh/id_ed25519.pub install -o ${redmine.user} -g ${redmine.group} -m 0400 \ ${pkgs.writeText "config" '' Host localhost PasswordAuthentication no PreferredAuthentications publickey StrictHostKeyChecking no UserKnownHostsFile /dev/null ''} \ ${redmine.stateDir}/.ssh/config # push settings.yml ln -fns ${redmine_git_hosting_settings} \ ${redmine.stateDir}/redmine_git_hosting.yml ${redmine.stateDir}/bundle exec rake redmine_git_hosting:update_settings install hooks and parameters ${redmine.stateDir}/bundle exec rake redmine_git_hosting:install_gitolite_hooks ''; */ }; users.users."${redmine.user}" = { extraGroups = [ gitolite.group ]; }; deployment.keys.redmine_git_hosting_id_ed25519 = { text = pass "${networking.domain}/${networking.hostName}/redmine_git_hosting/ssh" + "\n"; #destDir = "${redmine.stateDir}/.ssh"; #path = "${redmine.stateDir}/.ssh/id_ed25519"; user = redmine.user; group = redmine.group; permissions = "0400"; # XXX: not enforced when deployment.storeKeysOnMachine = true }; security.sudo.extraRules = [ { users = [ redmine.user ]; groups = [ redmine.group ]; runAs = gitolite.user; commands = [ { command = "ALL"; options = [ "SETENV" "NOPASSWD" ]; } ]; } ]; }; }