New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/gerrit: init #82137
nixos/gerrit: init #82137
Conversation
good timing, I started writing a Gerrit NixOS module last week. I will take a look and see how both efforts could be merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some review comments. Feel free to ignore.
cache.directory = "/var/cache/gerrit"; | ||
}; | ||
|
||
users.users.gerrit = {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would DynamicUser be possible?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe! I wasn't sure how that would interact with some parts of my target environment, so I haven't tried it yet.
|
||
listenAddress = mkOption { | ||
type = types.str; | ||
default = "0.0.0.0:80"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not entirely sure if exposing http to the internet on port 80 is ever a good idea. Is the intended usage behind some https reverse proxy? Or on an internal net?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It depends on your setup. The machine might be forwarded from an internal or external load-balancer. This is up to the user really.
The default when installing gerrit is *:8080
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been using this behind an HTTPS reverse proxy. I suppose this should plausibly default to interacting with the ACME module, but I personally prefer to keep the actual TLS keys away from services themselves. My production deployment uses Google Cloud's TLS termination.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- handle secrets.config
- handle config folders like its/jira.config
|
||
cfg = config.services.gerrit; | ||
|
||
cmd = "${pkgs.jre_headless}/bin/java -jar ${cfg.package}/webapps/gerrit-${cfg.package.version}.war"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think of wrapping this into a script and adding it in the systemPackages? With some plugins I found that it's useful to be able to call gerrit init
to set it up and discover the available options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm into it, I've definitely found it annoying to have to dig the command out of systemctl cat
to check stuff while debugging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pushed to your PR as 17d73b8
I also added a jvmOpts module option because it because quickly necessary to tune the JVM for larger gerrit instances.
serviceConfig.ExecStartPre = pkgs.writeScript "gerrit-pre" '' | ||
#! ${pkgs.bash}/bin/bash -eu |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a matter of preference
serviceConfig.ExecStartPre = pkgs.writeScript "gerrit-pre" '' | |
#! ${pkgs.bash}/bin/bash -eu | |
serviceConfig.ExecStartPre = pkgs.writeShellScript "gerrit-pre" '' | |
set -euo pipefail |
settingsFile = pkgs.writeText "gerrit.config" '' | ||
${generators.toINI {} cfg.settings} | ||
${generators.toINI { mkSectionName = mkPluginSectionName; } cfg.pluginSettings} | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I propose to import the git config generator from home-manager into the generators. It's quite close to the INI format but not entirely.
https://github.com/rycee/home-manager/blob/master/modules/programs/git.nix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be neat, but this might be a conversation for #75584.
|
||
listenAddress = mkOption { | ||
type = types.str; | ||
default = "0.0.0.0:80"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It depends on your setup. The machine might be forwarded from an internal or external load-balancer. This is up to the user really.
The default when installing gerrit is *:8080
}; | ||
httpd.inheritChannel = "true"; | ||
# TODO(edef): support SSH properly | ||
sshd.listenAddress = "off"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the problem with SSH? Is it because of the socket activation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure how much to integrate host key generation, and it's not particularly usable for me (the underlying SSH implementation lacks support for certificate keys), so I have no strong interest in debugging it. We should probably enable WantedBy=multi-user.target
if SSH is enabled.
* the module option only accepts strings as values * make sure to also remove the plugins when it's a folder
Motivation for this change
Gerrit is available in nixpkgs, but isn't particularly easy to set up.
A number of people have asked me to share and/or upstream the Gerrit NixOS module we're using at @mutable.
This is an early draft, and I'd prefer not to merge this until we've refined it a bit more.
It depends on #75584, so it can't be merged by itself anyway.
Things done
sandbox
innix.conf
on non-NixOS linux)cc @flokli @yorickvP