1 files changed, 43 insertions, 0 deletions

diff --git a/fleet/hosts/kaikou/gerrit.nix b/fleet/hosts/kaikou/gerrit.nix
new file mode 100644
index 0000000..ff05f2d
--- /dev/null
+++ b/fleet/hosts/kaikou/gerrit.nix
@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ pkgs, ... }:
+
+{
+  services.gerrit = {
+    enable = true;
+    serverId = "f1c53737-3ce4-4b28-9e99-825cacff1cf8";
+
+    # Here we'd set listenAddress to a UNIX socket path, except
+    # Gerrit for some reason does not support listening on them.
+    # TODO(V): Figure out why.
+
+    plugins = [
+      pkgs.gerrit-oauth-provider
+    ];
+
+    settings = {
+      # Proxy through Caddy.
+      httpd.listenUrl = "proxy-https://[::]:8080/";
+      gerrit.canonicalWebUrl = "https://review.unfathomable.blue/";
+
+      # Authenticate with Google.
+      auth.type = "OAUTH";
+      auth.gitBasicAuthPolicy = "HTTP";
+      plugin.gerrit-oauth-provider-google-oauth = {
+        client-id = "196183758720-sjo2ekbchb0ki24gn58g6grbdrj3uoqh.apps.googleusercontent.com";
+        # client-secret is set in /var/lib/gerrit/etc/secure.config.
+        use-email-as-username = true;
+      };
+    };
+  };
+
+  services.caddy.config = ''
+    review.unfathomable.blue {
+      import common
+      # This is to override the stronger policy set in //modules/web.nix.
+      header Content-Security-Policy "script-src https://review.unfathomable.blue/; object-src 'none'"
+      reverse_proxy localhost:8080
+    }
+  '';
+}