mermet: knot: autogeree.net: wrong CAA accounturi=
[sourcephile-nix.git] / hosts / mermet / gitolite.nix
index db554edbc7a1ea5dda2f76a518ea6be17de9e3f4..a6042351db88acb2ca7b9792c5ab806f27249443 100644 (file)
@@ -1,91 +1,90 @@
-{ inputs, pkgs, lib, config, ... }:
+{ pkgs, lib, config, ... }:
 let
-  inherit (lib) types;
   inherit (config) networking;
   inherit (config.services) gitolite;
   inherit (config.users) users groups;
   gitolite-admin = "julm";
 in
 {
-# Make confortable to call gitolite from a shell
-# (but mind to prefix it by sudo -u git)
-environment.systemPackages = [ pkgs.gitolite ];
+  # Make confortable to call gitolite from a shell
+  # (but mind to prefix it by sudo -u git)
+  environment.systemPackages = [ pkgs.gitolite ];
 
-services.gitolite = {
-  enable = true;
-  user   = "git";
-  group  = users."git-daemon".name;
-  adminPubkey = lib.readFile ../../users/julm/ssh/gnupg.pub;
-  extraGitoliteRc = ''
-    $RC{UMASK}           = 0027; # NOTE: no quote around in Perl, so it's octal
-    $RC{LOG_DEST}        = 'repo-log,syslog';
-    $RC{LOG_FACILITY}    = 'local0';
-    #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
-    $RC{GIT_CONFIG_KEYS} = '.*';
-    #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
-    #  if -d "$rc{GL_ADMIN_BASE}/local";
-    $RC{LOCAL_CODE} = "$ENV{HOME}/local";
-    push(@{$RC{ENABLE}}, ( 'Alias'
-                         , 'cgit'
-                           # NOTE: without this "cgit" option,
-                           # the repositories' "description" files are not modified
-                         , 'D'
-                         , 'Shell ${gitolite-admin}'
-                         , 'create'
-                         , 'expand-deny-messages'
-                         , 'fork'
-                         , 'keysubdirs-as-groups'
-                         , 'readme'
-                         , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
-                         , 'ssh-authkeys-split'
-                         ));
-  '';
-};
-systemd.services.gitolite-init = {
-  preStart = ''
-    # Allow git-daemon to enter ~git
-    chmod g+x "${gitolite.dataDir}"
-    install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
-     ${gitolite.dataDir}/local \
-     ${gitolite.dataDir}/local/hooks \
-     ${gitolite.dataDir}/local/hooks/common \
-     ${gitolite.dataDir}/local/hooks/repo-specific
-  '';
-};
-networking.nftables.ruleset = ''
-  table inet filter {
-    chain input-net {
-      tcp dport git counter accept comment "git-daemon: Git"
-    }
-  }
-'';
-systemd.services.git-daemon = {
-  # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root.
-  after = [ "network.target" ];
-  wantedBy = [ "multi-user.target" ];
-  serviceConfig = {
-    User = users."git-daemon".name;
-    Group = groups."git-daemon".name;
-    Restart = "always";
-    RestartSec = 5;
+  services.gitolite = {
+    enable = true;
+    user = "git";
+    group = users."git-daemon".name;
+    adminPubkey = lib.readFile ../../users/julm/ssh/gnupg.pub;
+    extraGitoliteRc = ''
+      $RC{UMASK}           = 0027; # NOTE: no quote around in Perl, so it's octal
+      $RC{LOG_DEST}        = 'repo-log,syslog';
+      $RC{LOG_FACILITY}    = 'local0';
+      #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
+      $RC{GIT_CONFIG_KEYS} = '.*';
+      #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
+      #  if -d "$rc{GL_ADMIN_BASE}/local";
+      $RC{LOCAL_CODE} = "$ENV{HOME}/local";
+      push(@{$RC{ENABLE}}, ( 'Alias'
+                           , 'cgit'
+                             # NOTE: without this "cgit" option,
+                             # the repositories' "description" files are not modified
+                           , 'D'
+                           , 'Shell ${gitolite-admin}'
+                           , 'create'
+                           , 'expand-deny-messages'
+                           , 'fork'
+                           , 'keysubdirs-as-groups'
+                           , 'readme'
+                           , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
+                           , 'ssh-authkeys-split'
+                           ));
+    '';
   };
-  script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr"
-    + " --base-path=${gitolite.dataDir}/repositories"
-    #+ (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
-    #+ "--port=${toString cfg.port} "
+  systemd.services.gitolite-init = {
+    preStart = ''
+      # Allow git-daemon to enter ~git
+      chmod g+x "${gitolite.dataDir}"
+      install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
+       ${gitolite.dataDir}/local \
+       ${gitolite.dataDir}/local/hooks \
+       ${gitolite.dataDir}/local/hooks/common \
+       ${gitolite.dataDir}/local/hooks/repo-specific
+    '';
+  };
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input-net {
+        tcp dport git counter accept comment "git-daemon: Git"
+      }
+    }
+  '';
+  systemd.services.git-daemon = {
+    # NOTE: not using nixpkgs' gitDaemon, to avoid running it as root.
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = users."git-daemon".name;
+      Group = groups."git-daemon".name;
+      Restart = "always";
+      RestartSec = 5;
+    };
+    script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr"
+      + " --base-path=${gitolite.dataDir}/repositories"
+      #+ (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
+      #+ "--port=${toString cfg.port} "
     ;
-};
-users.users."git-daemon" = {
-  uid = config.ids.uids.git;
-  description = "Git daemon user";
-  group = groups."git-daemon".name;
-};
-fileSystems."/var/lib/gitolite" = {
-  device = "rpool/var/git";
-  fsType = "zfs";
-};
-services.sanoid.datasets."rpool/var/git" = {
-  use_template = [ "snap" ];
-  daily = 7;
-};
+  };
+  users.users."git-daemon" = {
+    uid = config.ids.uids.git;
+    description = "Git daemon user";
+    group = groups."git-daemon".name;
+  };
+  fileSystems."/var/lib/gitolite" = {
+    device = "rpool/var/git";
+    fsType = "zfs";
+  };
+  services.sanoid.datasets."rpool/var/git" = {
+    use_template = [ "snap" ];
+    daily = 7;
+  };
 }