about summary refs log tree commit diff
path: root/nixos/tests/gitolite-fcgiwrap.nix
blob: abf1db37003a6de8247e87d5e9207d36c342b88e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
import ./make-test-python.nix (
  { pkgs, ... }:

    let
      user = "gitolite-admin";
      password = "some_password";

      # not used but needed to setup gitolite
      adminPublicKey = ''
        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7urFhAA90BTpGuEHeWWTY3W/g9PBxXNxfWhfbrm4Le root@client
      '';
    in
      {
        name = "gitolite-fcgiwrap";

        meta = with pkgs.lib.maintainers; {
          maintainers = [ bbigras ];
        };

        nodes = {

          server =
            { config, ... }:
              {
                networking.firewall.allowedTCPPorts = [ 80 ];

                services.fcgiwrap.enable = true;
                services.gitolite = {
                  enable = true;
                  adminPubkey = adminPublicKey;
                };

                services.nginx = {
                  enable = true;
                  recommendedProxySettings = true;
                  virtualHosts."server".locations."/git".extraConfig = ''
                    # turn off gzip as git objects are already well compressed
                    gzip off;

                    # use file based basic authentication
                    auth_basic "Git Repository Authentication";
                    auth_basic_user_file /etc/gitolite/htpasswd;

                    # common FastCGI parameters are required
                    include ${config.services.nginx.package}/conf/fastcgi_params;

                    # strip the CGI program prefix
                    fastcgi_split_path_info ^(/git)(.*)$;
                    fastcgi_param PATH_INFO $fastcgi_path_info;

                    # pass authenticated user login(mandatory) to Gitolite
                    fastcgi_param REMOTE_USER $remote_user;

                    # pass git repository root directory and hosting user directory
                    # these env variables can be set in a wrapper script
                    fastcgi_param GIT_HTTP_EXPORT_ALL "";
                    fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
                    fastcgi_param GITOLITE_HTTP_HOME /var/lib/gitolite;
                    fastcgi_param SCRIPT_FILENAME ${pkgs.gitolite}/bin/gitolite-shell;

                    # use Unix domain socket or inet socket
                    fastcgi_pass unix:/run/fcgiwrap.sock;
                  '';
                };

                # WARNING: DON'T DO THIS IN PRODUCTION!
                # This puts unhashed secrets directly into the Nix store for ease of testing.
                environment.etc."gitolite/htpasswd".source = pkgs.runCommand "htpasswd" {} ''
                  ${pkgs.apacheHttpd}/bin/htpasswd -bc "$out" ${user} ${password}
                '';
              };

          client =
            { pkgs, ... }:
              {
                environment.systemPackages = [ pkgs.git ];
              };
        };

        testScript = ''
          start_all()

          server.wait_for_unit("gitolite-init.service")
          server.wait_for_unit("nginx.service")
          server.wait_for_file("/run/fcgiwrap.sock")

          client.wait_for_unit("multi-user.target")
          client.succeed(
              "git clone http://${user}:${password}@server/git/gitolite-admin.git"
          )
        '';
      }
)