diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-06-07 10:39:32 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-06-07 10:46:28 +0200 |
| commit | fe7eb4c36dc64616b0c18683fc2f3c941bbb0c81 (patch) | |
| tree | 39e25184999a6ee4b1a4e8e75796f190d86d4ab2 | |
| parent | pkgs/back: Remove (diff) | |
| download | nixos-server-fe7eb4c36dc64616b0c18683fc2f3c941bbb0c81.zip | |
modules/git-back: Init with the out-of-tree back
| -rw-r--r-- | flake.lock | 64 | ||||
| -rw-r--r-- | flake.nix | 11 | ||||
| -rw-r--r-- | modules/by-name/ba/back/module.nix | 92 | ||||
| -rw-r--r-- | modules/by-name/gi/git-back/module.nix | 41 | ||||
| -rw-r--r-- | tests/by-name/ba/back/test.nix | 29 |
5 files changed, 95 insertions, 142 deletions
diff --git a/flake.lock b/flake.lock index 75b1bc4..0edae36 100644 --- a/flake.lock +++ b/flake.lock @@ -25,6 +25,36 @@ "type": "github" } }, + "back": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "systems": [ + "systems" + ], + "treefmt-nix": [ + "treefmt-nix" + ] + }, + "locked": { + "lastModified": 1749285532, + "narHash": "sha256-F3uPg5oVt2h3qIii98C9WiAK0USc8XHftV3rxJASp/o=", + "ref": "prime", + "rev": "0ab592d0ede24460c665db3d3e052aa80fb298f6", + "revCount": 24, + "type": "git", + "url": "https://git.foss-syndicate.org/vhack.eu/git_bug/back" + }, + "original": { + "ref": "prime", + "type": "git", + "url": "https://git.foss-syndicate.org/vhack.eu/git_bug/back" + } + }, "blobs": { "flake": false, "locked": { @@ -259,41 +289,10 @@ "type": "github" } }, - "ragenix": { - "inputs": { - "agenix": [ - "agenix" - ], - "crane": [ - "crane" - ], - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": [ - "rust-overlay" - ] - }, - "locked": { - "lastModified": 1744897914, - "narHash": "sha256-GIVU92o2TZBnKQXTb76zpQbWR4zjU2rFqWKNIIpXnqA=", - "owner": "yaxitech", - "repo": "ragenix", - "rev": "40f2e17ecaeab4d78ec323e96a04548c0aaa5223", - "type": "github" - }, - "original": { - "owner": "yaxitech", - "repo": "ragenix", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", + "back": "back", "crane": "crane", "deploy-rs": "deploy-rs", "disko": "disko", @@ -303,7 +302,6 @@ "library": "library", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", - "ragenix": "ragenix", "rust-overlay": "rust-overlay", "simple-nixos-mailserver": "simple-nixos-mailserver", "systems": "systems", diff --git a/flake.nix b/flake.nix index 97e5baa..d11bb41 100644 --- a/flake.nix +++ b/flake.nix @@ -61,6 +61,15 @@ systems.follows = "systems"; }; }; + back = { + url = "git+https://git.foss-syndicate.org/vhack.eu/git_bug/back?ref=prime"; + inputs = { + nixpkgs.follows = "nixpkgs"; + systems.follows = "systems"; + flake-utils.follows = "flake-utils"; + treefmt-nix.follows = "treefmt-nix"; + }; + }; impermanence = { url = "github:nix-community/impermanence"; inputs = {}; @@ -86,6 +95,7 @@ impermanence, disko, agenix, + back, ... } @ attrs: let system = "x86_64-linux"; @@ -115,6 +125,7 @@ extraModules = [ simple-nixos-mailserver.nixosModule + back.nixosModules.default disko.nixosModules.default impermanence.nixosModules.impermanence agenix.nixosModules.default diff --git a/modules/by-name/ba/back/module.nix b/modules/by-name/ba/back/module.nix deleted file mode 100644 index d47ffce..0000000 --- a/modules/by-name/ba/back/module.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ - config, - lib, - vhackPackages, - pkgs, - ... -}: let - cfg = config.vhack.back; -in { - options.vhack.back = { - enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)"; - - domain = lib.mkOption { - type = lib.types.str; - description = "The domain to host this `back` instance on."; - }; - - settings = { - scan_path = lib.mkOption { - type = lib.types.path; - description = "The path to the directory under which all the repositories reside"; - }; - project_list = lib.mkOption { - type = lib.types.path; - description = "The path to the `projects.list` file."; - }; - - source_code_repository_url = lib.mkOption { - description = "The url to the source code of this instance of back"; - default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back"; - type = lib.types.str; - }; - - root_url = lib.mkOption { - type = lib.types.str; - description = "The url to this instance of back."; - default = "https://${cfg.domain}"; - }; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services."back" = { - description = "Back issue tracking system."; - requires = ["network-online.target"]; - after = ["network-online.target"]; - wantedBy = ["default.target"]; - - serviceConfig = { - ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}"; - - # Ensure that the service can read the repository - # FIXME(@bpeetz): This has the implied assumption, that all the exposed git - # repositories are readable for the git group. This should not be necessary. <2024-12-23> - User = "git"; - Group = "git"; - - DynamicUser = true; - Restart = "always"; - - # Sandboxing - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - PrivateDevices = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; - RestrictNamespaces = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RemoveIPC = true; - PrivateMounts = true; - # System Call Filtering - SystemCallArchitectures = "native"; - SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"]; - }; - }; - services.nginx.virtualHosts."${cfg.domain}" = { - locations."/".proxyPass = "http://127.0.0.1:8000"; - - enableACME = true; - forceSSL = true; - }; - }; -} diff --git a/modules/by-name/gi/git-back/module.nix b/modules/by-name/gi/git-back/module.nix new file mode 100644 index 0000000..96f4913 --- /dev/null +++ b/modules/by-name/gi/git-back/module.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.git-back; +in { + options.vhack.git-back = { + enable = lib.mkEnableOption "Back integration into git-server"; + + domain = lib.mkOption { + type = lib.types.str; + description = "The domain where to deploy back"; + }; + }; + + config = lib.mkIf cfg.enable { + vhack.back = { + enable = true; + + user = "git"; + group = "git"; + + settings = { + scan_path = "${config.services.gitolite.dataDir}/repositories"; + project_list = "${config.services.gitolite.dataDir}/projects.list"; + root_url = "https://${cfg.domain}"; + }; + }; + + services.nginx = { + enable = true; + virtualHosts."${cfg.domain}" = { + locations."/".proxyPass = "http://127.0.0.1:8000"; + + enableACME = true; + forceSSL = true; + }; + }; + }; +} diff --git a/tests/by-name/ba/back/test.nix b/tests/by-name/ba/back/test.nix index 85cb611..cce5ede 100644 --- a/tests/by-name/ba/back/test.nix +++ b/tests/by-name/ba/back/test.nix @@ -56,14 +56,9 @@ in domain = "git.${domain}"; gitolite.adminPubkey = sshKeys.admin.pub; }; - back = { + git-back = { enable = true; domain = "issues.${domain}"; - - settings = { - scan_path = "${config.services.gitolite.dataDir}/repositories"; - project_list = "${config.services.gitolite.dataDir}/projects.list"; - }; }; }; }; @@ -152,35 +147,35 @@ in cd alice/repo1 - git bug user create --avatar "" --email "alice@server.org" --name "alice" --non-interactive + git bug user new --avatar "" --email "alice@server.org" --name "alice" --non-interactive - git bug add \ + git bug bug new \ --title "Some bug title" \ --message "A long description of the bug. Probably has some code segments, maybe even *markdown* mark_up_ or other things" \ --non-interactive - git bug add \ + git bug bug new \ --title "Second bug title" \ --message "" \ --non-interactive - git bug add \ + git bug bug new \ --title "Third bug title" \ --message "" \ --non-interactive - git bug select "$(git bug ls --format plain | awk '{print $1}' | head -n 1)" + git bug bug select "$(git bug bug --format plain | awk '{print $1}' | head -n 1)" - git bug comment add --message "Some comment message" --non-interactive - git bug comment add --message "Second comment message" --non-interactive + git bug bug comment new --message "Some comment message" --non-interactive + git bug bug comment new --message "Second comment message" --non-interactive # TODO: This should use `git bug push`, but their ssh implementation is just # too special to work in a VM test <2025-03-08> git push origin +refs/bugs/* git push origin +refs/identities/* - ssh git@${domain} -- config alice/repo1 --add cgit.owner Alice - ssh git@${domain} -- perms alice/repo1 + READERS @all + ssh git@git.${domain} -- config alice/repo1 --add cgit.owner Alice + ssh git@git.${domain} -- perms alice/repo1 + READERS @all ''}") with subtest("back server starts"): @@ -190,12 +185,12 @@ in client.succeed("${pkgs.writeShellScript "curl-back" '' set -xe - curl --insecure --fail --show-error "https://issues.${domain}/alice/repo1.git/issues/open" --output /root/issues.html + curl --insecure --fail --show-error "https://issues.${domain}/alice/repo1/issues/?query=status:open" --output /root/issues.html grep -- 'Second bug title' /root/issues.html curl --insecure --fail --show-error "https://issues.${domain}/" --output /root/repos.html grep -- 'repo' /root/repos.html - grep -- "<No description>" /root/repos.html + grep -- "<No description>" /root/repos.html grep -- '<span class="user-name">Alice</span>' /root/repos.html ''} >&2") |