nixos/gerrit: init #82137
nixos/gerrit: init #82137
Conversation
|
good timing, I started writing a Gerrit NixOS module last week. I will take a look and see how both efforts could be merged. |
| cache.directory = "/var/cache/gerrit"; | ||
| }; | ||
|
|
||
| users.users.gerrit = {}; |
There was a problem hiding this comment.
Would DynamicUser be possible?
There was a problem hiding this comment.
Maybe! I wasn't sure how that would interact with some parts of my target environment, so I haven't tried it yet.
|
|
||
| listenAddress = mkOption { | ||
| type = types.str; | ||
| default = "0.0.0.0:80"; |
There was a problem hiding this comment.
I'm not entirely sure if exposing http to the internet on port 80 is ever a good idea. Is the intended usage behind some https reverse proxy? Or on an internal net?
There was a problem hiding this comment.
It depends on your setup. The machine might be forwarded from an internal or external load-balancer. This is up to the user really.
The default when installing gerrit is *:8080
There was a problem hiding this comment.
I've been using this behind an HTTPS reverse proxy. I suppose this should plausibly default to interacting with the ACME module, but I personally prefer to keep the actual TLS keys away from services themselves. My production deployment uses Google Cloud's TLS termination.
|
|
||
| cfg = config.services.gerrit; | ||
|
|
||
| cmd = "${pkgs.jre_headless}/bin/java -jar ${cfg.package}/webapps/gerrit-${cfg.package.version}.war"; |
There was a problem hiding this comment.
What do you think of wrapping this into a script and adding it in the systemPackages? With some plugins I found that it's useful to be able to call gerrit init to set it up and discover the available options.
There was a problem hiding this comment.
I'm into it, I've definitely found it annoying to have to dig the command out of systemctl cat to check stuff while debugging.
There was a problem hiding this comment.
pushed to your PR as 17d73b8
I also added a jvmOpts module option because it because quickly necessary to tune the JVM for larger gerrit instances.
| serviceConfig.ExecStartPre = pkgs.writeScript "gerrit-pre" '' | ||
| #! ${pkgs.bash}/bin/bash -eu |
There was a problem hiding this comment.
a matter of preference
| serviceConfig.ExecStartPre = pkgs.writeScript "gerrit-pre" '' | |
| #! ${pkgs.bash}/bin/bash -eu | |
| serviceConfig.ExecStartPre = pkgs.writeShellScript "gerrit-pre" '' | |
| set -euo pipefail |
| settingsFile = pkgs.writeText "gerrit.config" '' | ||
| ${generators.toINI {} cfg.settings} | ||
| ${generators.toINI { mkSectionName = mkPluginSectionName; } cfg.pluginSettings} | ||
| ''; |
There was a problem hiding this comment.
I propose to import the git config generator from home-manager into the generators. It's quite close to the INI format but not entirely.
https://github.com/rycee/home-manager/blob/master/modules/programs/git.nix
There was a problem hiding this comment.
That would be neat, but this might be a conversation for #75584.
|
|
||
| listenAddress = mkOption { | ||
| type = types.str; | ||
| default = "0.0.0.0:80"; |
There was a problem hiding this comment.
It depends on your setup. The machine might be forwarded from an internal or external load-balancer. This is up to the user really.
The default when installing gerrit is *:8080
| }; | ||
| httpd.inheritChannel = "true"; | ||
| # TODO(edef): support SSH properly | ||
| sshd.listenAddress = "off"; |
There was a problem hiding this comment.
What is the problem with SSH? Is it because of the socket activation?
There was a problem hiding this comment.
I'm not sure how much to integrate host key generation, and it's not particularly usable for me (the underlying SSH implementation lacks support for certificate keys), so I have no strong interest in debugging it. We should probably enable WantedBy=multi-user.target if SSH is enabled.
* the module option only accepts strings as values * make sure to also remove the plugins when it's a folder
Motivation for this change
Gerrit is available in nixpkgs, but isn't particularly easy to set up.
A number of people have asked me to share and/or upstream the Gerrit NixOS module we're using at @mutable.
This is an early draft, and I'd prefer not to merge this until we've refined it a bit more.
It depends on #75584, so it can't be merged by itself anyway.
Things done
sandboxinnix.confon non-NixOS linux)cc @flokli @yorickvP