@pvgoran, thanks for your PR! By analyzing the history of the files in this pull request, we identified @thoughtpolice, @abbradar and @bjornfor to be potential reviewers.

I'm somewhat confused about the desired commit topic format. https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md says I should use nixos/gitolite: <description>, whereas https://nixos.org/nixpkgs/manual says I should use gitolite service: <description>. Or maybe the commit topic should be different from the pull request topic?

I'd love to see some clarification to this. :)

I suggested/added the "nixos/<thing>" to CONTRIBUTING.md some weeks ago. I didn't know that information was also in the manual :-/ The manual should be updated.

I updated the Nixpkgs manual on master (56a047c) and release-17.09 (dcb66ca).

Thank you!

Cool! I didn't know that it was possible to append things to .gitolite.rc like that. So far I've been maintaining mine manually.

I know very little perl. Does this method allow customizing/overriding everything in .gitolite.rc? As in, here are no drawbacks by this "append" style of manipulating the config file?

Having multiple

# per perl rules, this should be the last line in such a file:
1;

sections in the file is OK etc.?

So with this PR, .gitolite.rc will be fully declarative. But still the file will be writeable, only to be overwritten on every service start. Could we instead make .gitolite.rc a symlink to /nix/store/...-gitolite.rc?

Does this method allow customizing/overriding everything in .gitolite.rc?

It should be possible to customize everything, but it would require some Perl knowledge. (For example, removing items from a list is a bit more complex than adding them.)

As in, here are no drawbacks by this "append" style of manipulating the config file?

Well, if the structure of the configuration defined in the (default) .gitolite.rc changes, then the overrides may stop working. Other than that, I think it's safe.

Having multiple (...) sections in the file is OK etc.?

Yes. They are just expressions; the last expression in the file determines its return value, which should be non-zero.

But still the file will be writeable, only to be overwritten on every service start. Could we instead make .gitolite.rc a symlink to /nix/store/...-gitolite.rc?

I don't know a proper way of implementing it. Can we run gitolite print-default-rc during the configuration build, and save the result in the store? I have a feeling this would be much more difficult than my current implementation.

Sounds good!

You can make a gitolite.rc file in the Nix store like this:

with import <nixpkgs> {};

runCommand "gitolite.rc" {}
  ''
    export HOME=gitolite-home
    mkdir -p gitolite-home/.gitolite/logs
    ${gitolite}/bin/gitolite print-default-rc > "$out"

    cat << EOF >> "$out"

    # extraGitoliteRc stuff
    EOF
  ''

If gitolite works with .gitolite.rc being a symlink to this nix store file, I think that's preferable. It gives a much stronger signal that the file is managed declaratively.

Perhaps we should think about the upgrade path too. For users already having a .gitolite.rc (like me), it's not so nice to just blow it away.

How about this. Assuming the symlink to nix store thing works, we can have the gitolite service check the type of the .gitolite.rc file. If it's a plain file, abort the service with message like

"""Since NixOS 17.09, .gitolite.rc is managed declaratively and customizations must be done with the services.gitolite.extraGitoliteRc option. You currently have a .gitolite.rc file that is not managed by NixOS. Please take any customizations you may have in .gitolite.rc and move them to the new extraGitoliteRc option. Then remove ${datadir}/.gitolite.rc to allow NixOS to manage the file for you."""

If the .gitolite.rc file is a symlink, we check if it points to the /nix/store. If it does, find then we replace it with a symlink to the new file. If it's a symlink but not pointing to /nix/store, abort with the same message as above. (Or print a warning instead of aborting?)

Thoughts?

You can make a gitolite.rc file in the Nix store like this:

So, runCommand generates the filename for the script output, passes this filename as $out (shell variable) to the script, and then places the resulting file to the Nix store and finally returns the path of the saved file? Is this correct?

Also, what makes it possible to create gitolite-home in your example and not care about it afterwards? Is this script run in some kind of temporary directory that gets wiped once it's completed?

If gitolite works with .gitolite.rc being a symlink to this nix store file, I think that's preferable. It gives a much stronger signal that the file is managed declaratively.

I assume it does. At least, gitolite's documentation mentions this as a possible approach (see below).

Thoughts?

This looks good to me. I don't think the script should abort if a "legacy" .gitolite.rc is found; a warning message would be better. Speaking of which, does systemd have some kind of special commands for the services to issue warnings?

Also, users may have valid reasons not to manage .gitolite.rc via NixOS configuration. For example, they may symlink it to a file inside the gitolite-admin repository, to manage the configuration via git. gitolite documentation describes this setup, although it isn't recommended. For such users, I would add an additional option, something like manageGitoliteRc with a default of true, which would give a choice to leave the file alone and not issue warnings.

So, runCommand generates the filename [...]

Correct.

Also, what makes it possible to create gitolite-home in your example and not care about it afterwards?

It seems gitolite just needs a place to store log files. I would be surprised if the files will be needed afterwards. I found out this by trial and error. I didn't find flag to disable logging to file.

Is this script run in some kind of temporary directory that gets wiped once it's completed?

Correct. That directory will be created in the temporary build directory of the derivation (typically /tmp/nix-build-* something, IIRC).

does systemd have some kind of special commands for the services to issue warnings?

You can prefix messages with a number in angle brackets, indicating severity level. echo "<3>this is an error message". Also, I think I've seen a service making "systemctl status theservice" show a dedicated "Status: " field, but I don't know how that's implemented. I think echoing a message with severity level is fine.

Also, users may have valid reasons not to manage .gitolite.rc via NixOS configuration. For example, they may symlink it to a file inside the gitolite-admin repository, to manage the configuration via git. gitolite documentation describes this setup, although it isn't recommended. For such users, I would add an additional option, something like manageGitoliteRc with a default of true, which would give a choice to leave the file alone and not issue warnings.

Good idea.

What is the proper procedure for changing the pull request? Should I just add another commit to the branch, or replace/amend the commit and force-push the branch?

Amend and force push.

I think I addressed everything with the new commit. Here are (somewhat long) list of concerns I have with relation to this code:

1. I'm not sure that additional explanations in description of extraGitoliteRc are necessary.

2. How do I properly add an assert to the module definition, to ensure that module options are compatible? I wanted to add assert (cfg.manageGitoliteRc || cfg.extraGitoliteRc == ""); to the definition of config after mkIf cfg.enable, but it resulted in infinite recursion. Currently this assert is in the definition of systemd.services."gitolite-init", which looks quite unnatural (it isn't about the gitolite-init service, it's about the entire module), but at least it works. Is there a better way? Is it possible to attach a error message to the assert?

3. I'm confused by the way systemd's journal is shown. In my terminal (110 characters width), when the gitolite-init service issues the warning that I added, almost half of the terminal width is occupied with auxilary information, so I only see 50 characters for the actual message:

Sep 14 19:49:06 nixos gitolite-init-start[14074]: Alternatively, you can set services.gitolite.manageGitoliteR

I can use the right arrow key to see the remainder of overlong lines, but it's very hard to read the log if I have to scroll the screen left and right for each line I read.

For now, I limited the width of message lines to ~50 characters so that they would fit in my terminal, but this is obviously non-optimal: (1) this way, the message takes 11 lines which seems too much, (2) users will have different terminal width, for some 50-character lines will be too long, for some they will be too short. Unless I'm missing something and there is a better way to access systemd logs, it looks like I can't format the warning message in a way that would be convenient for most users. Do you have any recommendation of what to do here?

I'm not sure that additional explanations in description of extraGitoliteRc are necessary.

I think it's fine.

How do I properly add an assert to the module definition, to ensure that module options are compatible? I wanted to add assert (cfg.manageGitoliteRc || cfg.extraGitoliteRc == ""); to the definition of config after mkIf cfg.enable, but it resulted in infinite recursion. Currently this assert is in the definition of systemd.services."gitolite-init", which looks quite unnatural (it isn't about the gitolite-init service, it's about the entire module), but at least it works. Is there a better way? Is it possible to attach a error message to the assert?

Example NixOS assert:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-servers/lighttpd/default.nix#L212..L223

I'm confused by the way systemd's journal is shown. In my terminal (110 characters width), when the gitolite-init service issues the warning that I added, almost half of the terminal width is occupied with auxilary information, so I only see 50 characters for the actual message:
[...]
Unless I'm missing something and there is a better way to access systemd logs, it looks like I can't format the warning message in a way that would be convenient for most users. Do you have any recommendation of what to do here?

Perhaps reduce the size of the message. Maybe instead of having a large message, simply point users to "man configuration.nix" and the "manageGitoliteRc" option?

Example NixOS assert:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-servers/lighttpd/default.nix#L212..L223

Great! This is exactly what I was looking for. (Provided that it works in this case.)

Perhaps reduce the size of the message. Maybe instead of having a large message, simply point users to "man configuration.nix" and the "manageGitoliteRc" option?

This may work. I'll think about it.

I'll update the PR once more.

Now everything seems to be in order.

I also updated the commit/PR topic and description. Not sure if I should have added backticks to the commit description (github doesn't interpret them), but it's a small thing.

For now, I got rid of extra variables for rcDirScript, and raised the log level to 3 for the initialization script warning.

@bjornfor Sorry, I still don't understand the upgrade strategy you have in mind.

1. Don't do a breaking change now, and do it on 18.03 instead? To me, this looks just as unacceptable as doing a breaking change now. (Users are not guaranteed to notice the new options/functionality until a breaking change is made. Also, users can upgrade right from 17.03 to 18.03.)

2. Don't set manageGitoliteRc to true by default now, and do it on 18.03 instead, while keeping (now and in the future) the current "soft" (warning-only) reaction to conflict between user's .gitolite.rc and manageGitoliteRc=true? I don't see what good can be achieved this way.

3. Something other?

Don't do a breaking change now, and do it on 18.03 instead? To me, this looks just as unacceptable as doing a breaking change now. (Users are not guaranteed to notice the new options/functionality until a breaking change is made. Also, users can upgrade right from 17.03 to 18.03.)

Reasoning:

• I think it's more likely that users upgrade to every stable NixOS release than skip some.
• If users upgrade now, and read the release notes(?) they have 6 months to decide what to do with the manageGitoliteRc option.
• In 6 months we may even decide that leaving the manageGitoliteRc option default off is fine. For instance, users.mutableUsers still defaults to true. (I'm guessing it'll change in the future, but for now that too defaults to "same as before, impure".)

Don't set manageGitoliteRc to true by default now, and do it on 18.03 instead, while keeping (now and in the future) the current "soft" (warning-only) reaction to conflict between user's .gitolite.rc and manageGitoliteRc=true? I don't see what good can be achieved this way.

No, I don't think that's a good idea.

Possible exception: if there was a way to differentiate between a config having the NixOS default AND explicitly setting the option to true/false in own config. I.e., if we could gently "push" users to make a choice. But I don't think that's possible.

My strong opinion is that we can't do changes that will break users' installations "by default" (without them doing anything other than upgrading), no matter how far in the future. (Unless it can't be avoided, or we're talking about something really prominent and important for everyone, like mutableUsers you mentioned. Clearly we don't have this case here.) As a user I would really dislike to see such behaviour.

if there was a way to differentiate between a config having the NixOS default AND explicitly setting the option to true/false in own config (...) But I don't think that's possible.

This is possible (unless I misunderstand you here): I can make the manageGitoliteRc option tri-state by using the type types.nullOr types.bool. By default it would be null (the user didn't make a choice), and it can be explicitly set to either true or false.

With this, we can have a broader array of behaviour in case there are custom modifications. For example, if manageGitoliteRc is explicitly set to true or extraGitoliteRc is specified, then error out of the initialization script; if manageGitoliteRc is not set, then just issue a warning and continue without overwriting user's customizations or breaking his installation.

In case of no custom modifications, the .gitolite.rc file would be replaced with a NixOS-managed symlink by default (that is, unless manageGitoliteRc is explicitly set to false).

An alternative variant would be to let effectiveManageGitoliteRc = (cfg.manageGitoliteRc == true || cfg.extraGitoliteRc != "") and use this value to decide whether we manage the file or not. This way, we can have an error if there is a conflict between declarative options and customizations in the file, without breaking existing installations by default. It's also simpler than the variant above. However, this way we will never have .gitolite.rc managed by default, and the users will not get any notification/warning about the new declarative options.

I just noticed I had written the exact opposite of what I meant, in the review status. Based on the context I obviously meant to suggest that manageGitoliteRc is set to FALSE by default, so that we DON'T break existing users setup. (Sorry for the confusion.)

Good point about the tristate option.

I'd prefer to just make a minimum implementation now for NixOS 17.09. That is, boolean manageGitoliteRc defaulting to false. Deciding on upgrade path can be done later (if at all needed).

What do you think?

In fact, if manageGitoliteRc is false by default, this option becomes redundant. We can just manage the file if extraGitoliteRc is specified, and not manage the file if extraGitoliteRc is not specified. The only useful application of manageGitoliteRc would be to silence the warning and/or to allow to keep the legacy behaviour, by explicitly setting it to false.

I'd prefer to just make a minimum implementation now for NixOS 17.09.

This makes sense. So, if you don't think that the currently implemented approach (manageGitoliteRc enabled by default, with a warning in case of conflict) is appropriate, I'll remove this option as per my previous comment.

Yes, please remove manageGitoliterc option for now.

Done.

@pvgoran: Tested and ready to go? If so, then I'll add it to master and backport to release-17.09.

Thanks for writing such good documentation in the NixOS option!

Tested and ready to go?

Yes, and I just tested it again.

@pvgoran: Git author is "Someone someone@localhost". Sure you don't want something else here?

Or maybe someone else? (I'll show myself out...)

Ok, I resolved my identity crisis with a new commit. :)

Pushed to master (c73a381) and cherry-pick'ed to release-17.09 (5b1d686). Thank you!