From b7a18bdfb9e2453684a766f7f0f611ebbc0cf1ba Mon Sep 17 00:00:00 2001
From: V <v@unfathomable.blue>
Date: Wed, 11 May 2022 14:04:31 +0200
Subject: fleet/hosts/kaikou: add skeleton Gerrit config

Change-Id: Ibf68b5b4d7377ea5863315ffd5b6ed24c2874961
---
 fleet/hosts/kaikou/default.nix               |  4 +++
 fleet/hosts/kaikou/gerrit.nix                | 43 ++++++++++++++++++++++++++++
 fleet/modules/web.nix                        |  1 +
 fleet/pkgs/gerrit-oauth-provider/default.nix |  9 ++++++
 fleet/pkgs/overlay.nix                       |  1 +
 5 files changed, 58 insertions(+)
 create mode 100644 fleet/hosts/kaikou/gerrit.nix
 create mode 100644 fleet/pkgs/gerrit-oauth-provider/default.nix

(limited to 'fleet')

diff --git a/fleet/hosts/kaikou/default.nix b/fleet/hosts/kaikou/default.nix
index 4a5a597..f870204 100644
--- a/fleet/hosts/kaikou/default.nix
+++ b/fleet/hosts/kaikou/default.nix
@@ -6,6 +6,10 @@
 with lib;
 
 {
+  imports = [
+    ./gerrit.nix
+  ];
+
   boot.initrd.network.ssh.authorizedKeys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBvqWpDsDNMpyWfJNGvO/G8e56RJti9T/cBz01pErpjw v@january"
     "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
diff --git a/fleet/hosts/kaikou/gerrit.nix b/fleet/hosts/kaikou/gerrit.nix
new file mode 100644
index 0000000..ff05f2d
--- /dev/null
+++ b/fleet/hosts/kaikou/gerrit.nix
@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ pkgs, ... }:
+
+{
+  services.gerrit = {
+    enable = true;
+    serverId = "f1c53737-3ce4-4b28-9e99-825cacff1cf8";
+
+    # Here we'd set listenAddress to a UNIX socket path, except
+    # Gerrit for some reason does not support listening on them.
+    # TODO(V): Figure out why.
+
+    plugins = [
+      pkgs.gerrit-oauth-provider
+    ];
+
+    settings = {
+      # Proxy through Caddy.
+      httpd.listenUrl = "proxy-https://[::]:8080/";
+      gerrit.canonicalWebUrl = "https://review.unfathomable.blue/";
+
+      # Authenticate with Google.
+      auth.type = "OAUTH";
+      auth.gitBasicAuthPolicy = "HTTP";
+      plugin.gerrit-oauth-provider-google-oauth = {
+        client-id = "196183758720-sjo2ekbchb0ki24gn58g6grbdrj3uoqh.apps.googleusercontent.com";
+        # client-secret is set in /var/lib/gerrit/etc/secure.config.
+        use-email-as-username = true;
+      };
+    };
+  };
+
+  services.caddy.config = ''
+    review.unfathomable.blue {
+      import common
+      # This is to override the stronger policy set in //modules/web.nix.
+      header Content-Security-Policy "script-src https://review.unfathomable.blue/; object-src 'none'"
+      reverse_proxy localhost:8080
+    }
+  '';
+}
diff --git a/fleet/modules/web.nix b/fleet/modules/web.nix
index 709b1e4..97b67ca 100644
--- a/fleet/modules/web.nix
+++ b/fleet/modules/web.nix
@@ -28,6 +28,7 @@
 
         header {
           Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+          # TODO(V): Consider relaxing this a bit. Disabling JavaScript is bound to result in subtle breakage.
           Content-Security-Policy "script-src 'none'; object-src 'none'"
           Permissions-Policy "interest-cohort=()"
           X-Clacks-Overhead "GNU Terry Pratchett"
diff --git a/fleet/pkgs/gerrit-oauth-provider/default.nix b/fleet/pkgs/gerrit-oauth-provider/default.nix
new file mode 100644
index 0000000..3c21208
--- /dev/null
+++ b/fleet/pkgs/gerrit-oauth-provider/default.nix
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ fetchurl }:
+
+fetchurl {
+  url = "https://github.com/davido/gerrit-oauth-provider/releases/download/v3.5.1/gerrit-oauth-provider.jar";
+  sha256 = "0sfw5bcrzm3r7dmaljl04vflld0i9km9b7r8kbw1bb2lqjac8b9i";
+}
diff --git a/fleet/pkgs/overlay.nix b/fleet/pkgs/overlay.nix
index 30ce110..49cc524 100644
--- a/fleet/pkgs/overlay.nix
+++ b/fleet/pkgs/overlay.nix
@@ -4,6 +4,7 @@
 final: prev: {
   cgiserver = final.callPackage ./cgiserver {};
   declarative-git-repository = final.callPackage ./declarative-git-repository {};
+  gerrit-oauth-provider = final.callPackage ./gerrit-oauth-provider {};
   naersk = final.callPackage (import ../nix/sources.nix {}).naersk {};
   naut = final.callPackage ./naut {};
   public-inbox = final.perlPackages.callPackage ./public-inbox {};
-- 
cgit 1.4.1