01/02: hydra: bayfront: Add git.qa.guix.gnu.org.

Wed, 11 Sep 2024 04:22:06 -0700 

cbaines pushed a commit to branch master
in repository maintenance.

commit 63711fc140afea9bdcda4f3be3d1e606471a9bbd
Author: Christopher Baines <[email protected]>
AuthorDate: Wed Sep 11 12:17:36 2024 +0100

    hydra: bayfront: Add git.qa.guix.gnu.org.
    
    Replacing git.guix-patches.cbaines.net, which QA has been using until
    now.
    
    * hydra/bayfront.scm (%certbot-configuration): Add git.qa.guix.gnu.org
    to the qa.guix.gnu.org certificate.
    (%git.qa.guix.gnu.org-cgit-configuration-nginx): New variable.
    <services>: Add gitolite, cgit, fcgiwrap and a extra special file.
---
 hydra/bayfront.scm | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 100 insertions(+), 3 deletions(-)

diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index 9b3d8d9b..30b9c21f 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -14,9 +14,10 @@
              (sysadmin dns) (sysadmin web) (sysadmin nginx)
              (ice-9 match))
 (use-service-modules admin avahi base certbot databases dns linux
-                     monitoring networking shepherd ssh vpn web mcron guix)
+                     monitoring networking shepherd ssh vpn web mcron guix
+                     version-control cgit)
 (use-package-modules admin certs ci databases linux ssh tls vim
-                     package-management rsync web wget)
+                     package-management rsync web wget version-control)
 
 (include "website.scm")
 
@@ -75,7 +76,8 @@
            (domains '("10years.guix.gnu.org"))
            (deploy-hook %nginx-deploy-hook))
           (certificate-configuration
-           (domains '("qa.guix.gnu.org"))
+           (domains '("qa.guix.gnu.org"
+                      "git.qa.guix.gnu.org"))
            (deploy-hook %nginx-deploy-hook))
           (certificate-configuration
            (domains '("coordinator.bordeaux.guix.gnu.org"))
@@ -988,6 +990,52 @@ add_header Content-Type text/plain;")))
                "gzip_static always;"
                "gunzip on;"))))))))
 
+(define %git.qa.guix.gnu.org-cgit-configuration-nginx
+  (list
+   (nginx-server-configuration
+    (server-name '("git.qa.guix.gnu.org"))
+    (listen '("80" "[::]:80"))
+    (locations
+     (list
+      (nginx-location-configuration
+       (uri "^~ /.well-known/acme-challenge/")
+       (body '("root /srv/http/qa.guix.gnu.org;")))
+      (nginx-location-configuration
+       (uri "= /.well-known/acme-challenge/")
+       (body '("return 404;")))
+      (nginx-location-configuration
+       (uri "/")
+       (body '("return 301 https://git.qa.guix.gnu.org$request_uri;";))))))
+   (nginx-server-configuration
+    (server-name '("git.qa.guix.gnu.org"))
+    (listen '("443 ssl" "[::]:443 ssl"))
+    (root cgit)
+    (locations
+     (list
+      (let ((base
+             (git-http-nginx-location-configuration
+              (git-http-configuration
+               (git-root "/var/lib/gitolite/repositories")))))
+        ;; Workaround the broken safe.directory thing in Git by giving
+        ;; it a system config file
+        (nginx-location-configuration
+         (uri (nginx-location-configuration-uri base))
+         (body
+          `(,@(nginx-location-configuration-body base)
+            "fastcgi_param GIT_CONFIG_SYSTEM \"/etc/gitconfig\";"))))
+      (nginx-location-configuration
+       (uri "@cgit")
+       (body '("fastcgi_param SCRIPT_FILENAME 
$document_root/lib/cgit/cgit.cgi;"
+               "fastcgi_param PATH_INFO $uri;"
+               "fastcgi_param QUERY_STRING $args;"
+               "fastcgi_param HTTP_HOST $server_name;"
+               "fastcgi_pass 127.0.0.1:9000;")))))
+    (try-files (list "$uri" "@cgit"))
+    (ssl-certificate
+     "/etc/letsencrypt/live/qa.guix.gnu.org/fullchain.pem")
+    (ssl-certificate-key
+     "/etc/letsencrypt/live/qa.guix.gnu.org/privkey.pem"))))
+
 (define %packages.guix.gnu.org-nginx-servers
   (list
    (nginx-server-configuration
@@ -1584,6 +1632,55 @@ add_header Content-Type text/plain;")))
                           "#bootstrappable"
                           "#ocapn" "#spritely"))))
 
+    (service gitolite-service-type
+             (gitolite-configuration
+              (admin-pubkey (local-file "keys/ssh/bayfront.pub"))
+              (rc-file
+               (gitolite-rc-file
+                (umask #o0027)
+                (enable
+                 '("help"
+                   "desc"
+                   "info"
+                   "perms"
+                   "writable"
+                   "ssh-authkeys"
+                   "git-config"
+                   "daemon"
+                   "gitweb"
+                   "cgit"
+                   "update-gitweb-access-list"))))))
+
+    (service
+     cgit-service-type
+     (cgit-configuration
+      (enable-git-config? #t)
+      (repository-directory "/var/lib/gitolite/repositories")
+      (project-list "/var/lib/gitolite/projects.list")
+      (root-title "Guix Patches")
+      (root-desc "Git Repositories")
+      (clone-url '("https://git.qa.guix.gnu.org/git/$CGIT_REPO_URL";
+                   "[email protected]:$CGIT_REPO_URL"))
+      (max-repo-count 100)
+      (snapshots '("tar" "tar.gz"))
+      (remove-suffix? #t)
+      (enable-index-owner? #f)
+      (enable-index-links? #t)
+      (enable-commit-graph? #t)
+      (nginx %git.qa.guix.gnu.org-cgit-configuration-nginx)))
+
+    (service fcgiwrap-service-type
+             (fcgiwrap-configuration
+              (group "git")))
+
+    ;; Workaround the broken Git behaviour
+    (extra-special-file "/etc/gitconfig"
+                        (plain-file
+                         "gitconfig"
+                         "[safe]
+        directory = *
+"))
+
     (service qa-frontpage-service-type
              (qa-frontpage-configuration
               (submit-builds? #t)

Reply via email to