depot/nixos/tests/gitolite-fcgiwrap.nix
Luke Granger-Brown 57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
2024-11-10 23:59:47 +00:00

98 lines
3.4 KiB
Nix

import ./make-test-python.nix (
{ pkgs, ... }:
let
user = "gitolite-admin";
password = "some_password";
# not used but needed to setup gitolite
adminPublicKey = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7urFhAA90BTpGuEHeWWTY3W/g9PBxXNxfWhfbrm4Le root@client
'';
in
{
name = "gitolite-fcgiwrap";
meta = with pkgs.lib.maintainers; {
maintainers = [ bbigras ];
};
nodes = {
server =
{ config, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 ];
services.fcgiwrap.instances.gitolite = {
process.user = "gitolite";
process.group = "gitolite";
socket = { inherit (config.services.nginx) user group; };
};
services.gitolite = {
enable = true;
adminPubkey = adminPublicKey;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."server".locations."/git".extraConfig = ''
# turn off gzip as git objects are already well compressed
gzip off;
# use file based basic authentication
auth_basic "Git Repository Authentication";
auth_basic_user_file /etc/gitolite/htpasswd;
# common FastCGI parameters are required
include ${config.services.nginx.package}/conf/fastcgi_params;
# strip the CGI program prefix
fastcgi_split_path_info ^(/git)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# pass authenticated user login(mandatory) to Gitolite
fastcgi_param REMOTE_USER $remote_user;
# pass git repository root directory and hosting user directory
# these env variables can be set in a wrapper script
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
fastcgi_param GITOLITE_HTTP_HOME /var/lib/gitolite;
fastcgi_param SCRIPT_FILENAME ${pkgs.gitolite}/bin/gitolite-shell;
# use Unix domain socket or inet socket
fastcgi_pass unix:${config.services.fcgiwrap.instances.gitolite.socket.address};
'';
};
# WARNING: DON'T DO THIS IN PRODUCTION!
# This puts unhashed secrets directly into the Nix store for ease of testing.
environment.etc."gitolite/htpasswd".source = pkgs.runCommand "htpasswd" {} ''
${pkgs.apacheHttpd}/bin/htpasswd -bc "$out" ${user} ${password}
'';
};
client =
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.git ];
};
};
testScript = ''
start_all()
server.wait_for_unit("gitolite-init.service")
server.wait_for_unit("nginx.service")
server.wait_for_file("/run/fcgiwrap-gitolite.sock")
client.wait_for_unit("multi-user.target")
client.succeed(
"git clone http://${user}:${password}@server/git/gitolite-admin.git"
)
'';
}
)