inherit (lib) types;
inherit (config) networking;
inherit (config.services) dovecot2;
- userPass = name: pass ("${networking.domain}/${networking.hostName}/"+name);
+ userPass = name: pass "${networking.domain}/${networking.hostName}/${name}/pass";
in {
imports = [
<nixpkgs-commonsoft/install/modules.nix>
};
};
+ boot.initrd = {
+ network = {
+ enable = config.deployment.targetEnv != "virtualbox";
+ ssh = {
+ enable = true;
+ authorizedKeys = [ (pass "${networking.domain}/${networking.hostName}/julm/ssh.pub") ];
+ };
+ };
+ };
+
services = {
nixosManual = {
enable = false; # NOTE: useless on this machine, and CPU intensive.
};
+ redis = {
+ enable = true;
+ };
disnix = {
enable = false;
};
openssh = {
enable = true;
+ extraConfig = ''
+ '';
};
gitea = {
enable = false;
#nss_ldap
#nss_pam_ldapd
socat
+ users-init
+ which
];
+ etc."inputrc".text = ''
+ # /etc/inputrc - global inputrc for libreadline
+ # See readline(3readline) and `info rluserman' for more information.
+
+ # Be 8 bit clean.
+ set input-meta on
+ set output-meta on
+
+ # To allow the use of 8bit-characters like the german umlauts, uncomment
+ # the line below. However this makes the meta key not work as a meta key,
+ # which is annoying to those which don't need to type in 8-bit characters.
+
+ # set convert-meta off
+
+ # try to enable the application keypad when it is called. Some systems
+ # need this to enable the arrow keys.
+ # set enable-keypad on
+
+ # see /usr/share/doc/bash/inputrc.arrows for other codes of arrow keys
+
+ # do not bell on tab-completion
+ # set bell-style none
+ # set bell-style visible
+
+ # some defaults / modifications for the emacs mode
+ $if mode=emacs
+
+ # allow the use of the Home/End keys
+ "\e[1~": beginning-of-line
+ "\e[4~": end-of-line
+
+ # allow the use of the Delete/Insert keys
+ "\e[3~": delete-char
+ "\e[2~": quoted-insert
+
+ # mappings for "page up" and "page down" to step to the beginning/end
+ # of the history
+ # "\e[5~": beginning-of-history
+ # "\e[6~": end-of-history
+
+ # alternate mappings for "page up" and "page down" to search the history
+ # "\e[5~": history-search-backward
+ # "\e[6~": history-search-forward
+
+ # mappings for Ctrl-left-arrow and Ctrl-right-arrow for word moving
+ "\e[1;5C": forward-word
+ "\e[1;5D": backward-word
+ "\e[5C": forward-word
+ "\e[5D": backward-word
+ "\e\e[C": forward-word
+ "\e\e[D": backward-word
+
+ $if term=rxvt
+ "\e[7~": beginning-of-line
+ "\e[8~": end-of-line
+ "\eOc": forward-word
+ "\eOd": backward-word
+ $endif
+
+ # for non RH/Debian xterm, can't hurt for RH/Debian xterm
+ # "\eOH": beginning-of-line
+ # "\eOF": end-of-line
+
+ # for freebsd console
+ # "\e[H": beginning-of-line
+ # "\e[F": end-of-line
+
+ $endif
+ '';
};
};
}
{pkgs, lib, config, system, ...}:
let inherit (builtins.extraBuiltins) pass;
inherit (lib) types;
+ inherit (config) networking;
inherit (config.services) gitolite;
inherit (config.users) users groups;
- userPass = name: pass ("${config.networking.domain}/${config.networking.hostName}/"+name);
gitolite-admin = "julm";
in
{
enable = true;
user = "git";
group = users."git-daemon".name;
- adminPubkey = pass "${config.networking.domain}/ssh/${gitolite-admin}";
+ adminPubkey = pass "${networking.domain}/${networking.hostName}/${gitolite-admin}/ssh.pub";
extraGitoliteRc = ''
$RC{UMASK} = 0027; # NOTE: no quote around in Perl, so it's octal
$RC{LOG_DEST} = 'repo-log,syslog';
$RC{LOG_FACILITY} = 'local0';
- $RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
- $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
- if -d "$rc{GL_ADMIN_BASE}/local";
+ #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
+ $RC{GIT_CONFIG_KEYS} = '.*';
+ #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
+ # if -d "$rc{GL_ADMIN_BASE}/local";
+ $RC{LOCAL_CODE} = "$ENV{HOME}/local";
push(@{$RC{ENABLE}}, ( 'Alias'
#, 'cgit'
, 'D'
, 'fork'
, 'keysubdirs-as-groups'
, 'readme'
- , (-d "$rc{GL_ADMIN_BASE}/local" ? 'repo-specific-hooks' : ())
+ , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
, 'ssh-authkeys-split'
));
'';
preStart = ''
chmod g+x "${gitolite.dataDir}"
# NOTE: allow git-daemon to enter ~git
+ install -D -d -o ${gitolite.user} -g ${gitolite.group} -m 750 \
+ ${gitolite.dataDir}/local \
+ ${gitolite.dataDir}/local/hooks \
+ ${gitolite.dataDir}/local/hooks/common \
+ ${gitolite.dataDir}/local/hooks/repo-specific
'';
};
systemd.services.git-daemon = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
- User = users."git-daemon".name;
- Group = groups."git-daemon".name;
- Restart = "always";
- RestartSec = 5;
+ User = users."git-daemon".name;
+ Group = groups."git-daemon".name;
+ Restart = "always";
+ RestartSec = 5;
};
script = "${pkgs.git}/bin/git daemon --verbose --reuseaddr"
+ " --base-path=${gitolite.dataDir}/repositories"
{pkgs, lib, config, system, ...}:
let inherit (lib) types;
inherit (config.services) nginx x509;
- logDir = "/var/log/nginx";
domainDir = dom: lib.concatStringsSep "/" (lib.reverseList (lib.splitString "." dom));
in
{
imports = [
nginx/gitweb.nix
];
-options.services.nginx.webDir = lib.mkOption {
- type = types.str;
- default = "/var/www"; # TODO: /var/lib/nginx ?
+options.services.nginx = {
+ webDir = lib.mkOption {
+ type = types.str;
+ default = "/var/lib/nginx";
+ };
+ logDir = lib.mkOption {
+ type = types.str;
+ default = "/var/log/nginx";
+ };
};
config = {
security.dhparams = {
nginx = 1024;
};
};
+ systemd.services.nginx = {
+ preStart = lib.mkBefore ''
+ install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \
+ ${nginx.webDir} \
+ ${nginx.logDir}
+ '';
+ };
services.nginx = {
enable = true;
stateDir = "/dev/shm/nginx";
#ssl_certificate_key ${x509.key};
'';
log = ''
- access_log ${logDir}/access.log main buffer=32k;
- error_log ${logDir}/error.log warn;
+ access_log ${nginx.logDir}/access.log main buffer=32k;
+ error_log ${nginx.logDir}/error.log warn;
open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
'';
proxy = ''
{pkgs, lib, config, ...}:
-let inherit (config) networking;
- inherit (config.services) redmine postgresql;
+let inherit (builtins.extraBuiltins) pass;
+ inherit (config) networking;
+ inherit (config.services) redmine postgresql gitolite;
+ redmine_git_hosting_settings = pkgs.writeText "settings.yml" ''
+ ---
+ # Gitolite SSH Config
+ gitolite_user: '${gitolite.user}'
+ gitolite_server_host: 'localhost'
+ gitolite_server_port: '22'
+ #gitolite_ssh_private_key: <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa') %>
+ #gitolite_ssh_public_key: <%= Rails.root.join('plugins', 'redmine_git_hosting', 'ssh_keys', 'redmine_gitolite_admin_id_rsa.pub') %>
+ gitolite_ssh_private_key: '${redmine.stateDir}/.ssh/id_ed25519'
+ gitolite_ssh_public_key: '${redmine.stateDir}/.ssh/id_ed25519.pub'
+
+ # Gitolite Storage Config
+ gitolite_global_storage_dir: 'repositories/'
+ gitolite_redmine_storage_dir: ""
+ gitolite_recycle_bin_dir: 'recycle_bin/'
+ gitolite_lib_dir: '${pkgs.gitolite}/bin/lib'
+ gitolite_local_code_dir: 'local/'
+
+ # Gitolite Config File
+ gitolite_config_file: 'gitolite.conf'
+ gitolite_identifier_prefix: 'redmine_'
+ gitolite_identifier_strip_user_id: 'false'
+
+ # Gitolite Global Config
+ gitolite_temp_dir: <%= Rails.root.join('tmp', 'redmine_git_hosting') %>
+ gitolite_recycle_bin_expiration_time: '24.0'
+ gitolite_log_level: 'info'
+ git_config_username: 'Redmine Git Hosting'
+ git_config_email: 'redmine@${networking.domain}'
+
+ # Gitolite Hooks Config
+ gitolite_overwrite_existing_hooks: 'true'
+ gitolite_hooks_are_asynchronous: 'false'
+ gitolite_hooks_debug: 'false'
+ gitolite_hooks_url: 'http://localhost:3000'
+
+ # Gitolite Cache Config
+ gitolite_cache_max_time: '86400'
+ gitolite_cache_max_size: '16'
+ gitolite_cache_max_elements: '2000'
+ gitolite_cache_adapter: 'database'
+
+ # Gitolite Access Config
+ ssh_server_domain: 'localhost'
+ http_server_domain: 'localhost'
+ https_server_domain: 'localhost'
+ http_server_subdir: ""
+ show_repositories_url: 'true'
+ gitolite_daemon_by_default: 'false'
+ gitolite_http_by_default: '1'
+
+ # Redmine Config
+ redmine_has_rw_access_on_all_repos: 'true'
+ all_projects_use_git: 'false'
+ init_repositories_on_create: 'false'
+ delete_git_repositories: 'true'
+
+ # This params work together!
+ # When hierarchical_organisation = true unique_repo_identifier MUST be false
+ # When hierarchical_organisation = false unique_repo_identifier MUST be true
+ hierarchical_organisation: 'true'
+ unique_repo_identifier: 'false'
+
+ # Download Revision Config
+ download_revision_enabled: 'true'
+
+ # Git Mailing List Config
+ gitolite_notify_by_default: 'false'
+ gitolite_notify_global_prefix: '[REDMINE]'
+ gitolite_notify_global_sender_address: 'redmine@${networking.domain}'
+ gitolite_notify_global_include: []
+ gitolite_notify_global_exclude: []
+
+ # Sidekiq Config
+ gitolite_use_sidekiq: 'false'
+ '';
in
{
config = {
services = {
redmine = {
enable = true;
+ package = with pkgs.redmine.plugins; pkgs.redmineWithPlugins [
+ #redmine_git_hosting
+ #clipboard_image_paste
+ #redmine_revision_branches
+ ];
database = {
type = "postgresql";
host = "/tmp";
port = postgresql.port;
};
+ config = {
+ "configuration.yml" = lib.mkForce ''
+ default:
+ scm_git_command: ${pkgs.git}/bin/git
+ '';
+ };
};
postgresql = {
users."${redmine.user}" = {
};
};
systemd.services.redmine = {
- environment.REDMINE_LANG = lib.mkForce "fr";
+ path = lib.mkForce [
+ pkgs.gitAndTools.git
+ pkgs.imagemagickBig
+ pkgs.coreutils
+ pkgs.findutils
+ pkgs.gnused
+ /*
+ pkgs.gitolite
+ pkgs.coreutils
+ pkgs.openssh
+ (config.security.wrapperDir + "/..")
+ */
+ ];
+ #environment.REDMINE_LANG = lib.mkForce "fr";
+ /*
+ path = [
+ pkgs.gitolite
+ pkgs.coreutils
+ pkgs.openssh
+ (config.security.wrapperDir + "/..")
+ ];
+ after = [ "keys.target" ];
+ preStart = ''
+ # comply with openssh's strict mode
+ install -D -d -o ${redmine.user} -g ${redmine.group} -m 0700 \
+ ${redmine.stateDir}/.ssh
+ install -o ${redmine.user} -g ${redmine.group} -m 0400 \
+ /run/keys/redmine_git_hosting_id_ed25519 \
+ ${redmine.stateDir}/.ssh/id_ed25519
+ install -o ${redmine.user} -g ${redmine.group} -m 0400 \
+ ${pkgs.writeText "redmine_git_hosting_id_ed25519.pub"
+ (builtins.readFile ../../../sec/var/ssh/redmine_git_hosting/id_ed25519.pub)} \
+ ${redmine.stateDir}/.ssh/id_ed25519.pub
+ install -o ${redmine.user} -g ${redmine.group} -m 0400 \
+ ${pkgs.writeText "config" ''
+ Host localhost
+ PasswordAuthentication no
+ PreferredAuthentications publickey
+ StrictHostKeyChecking no
+ UserKnownHostsFile /dev/null
+ ''} \
+ ${redmine.stateDir}/.ssh/config
+
+ # push settings.yml
+ ln -fns ${redmine_git_hosting_settings} \
+ ${redmine.stateDir}/redmine_git_hosting.yml
+ ${redmine.stateDir}/bundle exec rake redmine_git_hosting:update_settings
+ install hooks and parameters
+ ${redmine.stateDir}/bundle exec rake redmine_git_hosting:install_gitolite_hooks
+ '';
+ */
+ };
+ users.users."${redmine.user}" = {
+ extraGroups = [
+ gitolite.group
+ ];
+ };
+ deployment.keys.redmine_git_hosting_id_ed25519 = {
+ text = pass "${networking.domain}/${networking.hostName}/redmine_git_hosting/ssh" + "\n";
+ #destDir = "${redmine.stateDir}/.ssh";
+ #path = "${redmine.stateDir}/.ssh/id_ed25519";
+ user = redmine.user;
+ group = redmine.group;
+ permissions = "0400"; # XXX: not enforced when deployment.storeKeysOnMachine = true
};
- #users.users."${redmine.user}" = {
- # extraGroups = [ "postgres" ];
- #};
+ security.sudo.extraRules = [
+ { users = [ redmine.user ];
+ groups = [ redmine.group ];
+ runAs = gitolite.user;
+ commands = [ { command = "ALL"; options = [ "SETENV" "NOPASSWD" ]; } ];
+ }
+ ];
};
}
sourcephile / git / sourcephile-nix.git / commitdiff