diff options
Diffstat (limited to 'fleet/hosts/kaikou/gerrit.nix')
-rw-r--r-- | fleet/hosts/kaikou/gerrit.nix | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/fleet/hosts/kaikou/gerrit.nix b/fleet/hosts/kaikou/gerrit.nix new file mode 100644 index 0000000..ff05f2d --- /dev/null +++ b/fleet/hosts/kaikou/gerrit.nix @@ -0,0 +1,43 @@ +# SPDX-FileCopyrightText: V <v@unfathomable.blue> +# SPDX-License-Identifier: OSL-3.0 + +{ pkgs, ... }: + +{ + services.gerrit = { + enable = true; + serverId = "f1c53737-3ce4-4b28-9e99-825cacff1cf8"; + + # Here we'd set listenAddress to a UNIX socket path, except + # Gerrit for some reason does not support listening on them. + # TODO(V): Figure out why. + + plugins = [ + pkgs.gerrit-oauth-provider + ]; + + settings = { + # Proxy through Caddy. + httpd.listenUrl = "proxy-https://[::]:8080/"; + gerrit.canonicalWebUrl = "https://review.unfathomable.blue/"; + + # Authenticate with Google. + auth.type = "OAUTH"; + auth.gitBasicAuthPolicy = "HTTP"; + plugin.gerrit-oauth-provider-google-oauth = { + client-id = "196183758720-sjo2ekbchb0ki24gn58g6grbdrj3uoqh.apps.googleusercontent.com"; + # client-secret is set in /var/lib/gerrit/etc/secure.config. + use-email-as-username = true; + }; + }; + }; + + services.caddy.config = '' + review.unfathomable.blue { + import common + # This is to override the stronger policy set in //modules/web.nix. + header Content-Security-Policy "script-src https://review.unfathomable.blue/; object-src 'none'" + reverse_proxy localhost:8080 + } + ''; +} |