{ config, pkgs, serverInfo, servicesPath, ... }: let inherit (pkgs.lib) mkOption; urlPrefix = config.urlPrefix; dbDir = "${config.dataDir}/db"; reposDir = "${config.dataDir}/repos"; backupsDir = "${config.dataDir}/backup"; distsDir = "${config.dataDir}/dist"; tmpDir = "${config.dataDir}/tmp"; logDir = "${config.dataDir}/log"; idString = if config.id == "" then "" else "${config.id}-"; postCommitHook = "/var/run/current-system/sw/bin/svn-server-${idString}post-commit-hook"; fsType = "fsfs"; adminAddr = serverInfo.adminAddr; # Build a Subversion instance with Apache modules and Swig/Python bindings. subversion = pkgs.subversion.override (origArgs: { bdbSupport = true; httpServer = true; sslSupport = true; compressionSupport = true; pythonBindings = true; }); # Build the maintenance scripts and commit hooks. scripts = substituteInAll { name = "svn-server-scripts"; src = /* pkgs.lib.cleanSource */ "${servicesPath}/subversion/src/scripts"; # The variables to substitute: inherit reposDir dbDir logDir distsDir backupsDir tmpDir urlPrefix adminAddr fsType subversion postCommitHook mailer; inherit (config) notificationSender userCreationDomain; orgUrl = config.organisation.url; orgLogoUrl = config.organisation.logo; orgName = config.organisation.name; perl = "${pkgs.perl}/bin/perl"; sendmail = "${pkgs.ssmtp}/sbin/sendmail"; inherit (pkgs) libxslt enscript db4 coreutils diffutils bzip2 python; inherit (serverInfo) canonicalName; inherit (serverInfo.serverConfig) user group; # Urgh, most of these are dependencies of Email::Send, should figure them out automatically. perlFlags = map (x: "-I${x}/lib/perl5/site_perl") [ pkgs.perlPackages.BerkeleyDB pkgs.perlPackages.EmailSend pkgs.perlPackages.EmailSimple pkgs.perlPackages.ModulePluggable pkgs.perlPackages.ReturnValue pkgs.perlPackages.EmailAddress pkgs.perlPackages.CryptPasswordMD5 pkgs.perlPackages.StringMkPasswd ]; pythonPath = "${subversion}/lib/${pkgs.python.libPrefix}/site-packages"; # Do a syntax check on the generated file. postInstall = '' $perl -c -T $out/cgi-bin/repoman.pl $perl -c $out/bin/svn-server-create-user.pl if test -n "${config.id}"; then for i in $(cd $out/bin && echo *); do mv "$out/bin/$i" "$out/bin/$(echo $i | sed s^svn-server-^svn-server-${config.id}-^)" done fi ''; }; # Extract the mailer script from the Subversion source distribution. mailer = pkgs.runCommand "svn-mailer.py" { inherit (subversion) src; } '' unpackFile $src cp subversion-*/tools/hook-scripts/mailer/mailer.py $out ''; # Build our custom authentication modules. authModules = import "${servicesPath}/subversion/src/auth" { inherit (pkgs) stdenv apacheHttpd; }; commonAuth = '' AuthType Basic AuthName "Subversion repositories" AuthBasicProvider dbm AuthDBMType DB AuthDBMUserFile ${dbDir}/svn-users ''; # Access controls for /repos and /repos-xml. reposConfig = dirName: '' ${commonAuth} AuthAllowNone on AuthzRepoPrefix ${urlPrefix}/${dirName}/ AuthzRepoDBType DB AuthzRepoReaders ${dbDir}/svn-readers AuthzRepoWriters ${dbDir}/svn-writers Require repo-writer Require repo-reader DAV svn SVNParentPath ${reposDir} SVNAutoversioning ${if config.autoVersioning then "on" else "off"} ''; # Build ViewVC. viewvc = import "${servicesPath}/subversion/src/viewvc" { inherit (pkgs) fetchurl stdenv python enscript; inherit urlPrefix reposDir adminAddr subversion; }; viewerConfig = dirName: '' ${commonAuth} AuthAllowNone on AuthzRepoPrefix ${urlPrefix}/${dirName}/ AuthzRepoDBType DB AuthzRepoReaders ${dbDir}/svn-readers Require repo-reader ''; viewvcConfig = '' ScriptAlias ${urlPrefix}/viewvc ${viewvc}/viewvc/bin/mod_python/viewvc.py AddHandler python-program .py # Note: we write \" instead of ' to work around a lexer bug in Nix 0.11. PythonPath "[\"${viewvc}/viewvc/bin/mod_python\", \"${subversion}/lib/${pkgs.python.libPrefix}/site-packages\"] + sys.path" PythonHandler handler ${viewerConfig "viewvc"} Alias ${urlPrefix}/viewvc-doc ${viewvc}/viewvc/templates/docroot Redirect permanent ${urlPrefix}/viewcvs ${serverInfo.canonicalName}/${urlPrefix}/viewvc ''; # Build WebSVN. websvn = import "${servicesPath}/subversion/src/websvn" { inherit (pkgs) fetchurl stdenv writeText enscript gnused diffutils; inherit urlPrefix reposDir subversion; cacheDir = tmpDir; }; websvnConfig = '' Alias ${urlPrefix}/websvn ${websvn}/wsvn.php Alias ${urlPrefix}/templates ${websvn}/templates ${viewerConfig "websvn"} Order allow,deny Allow from all ''; distConfig = '' Alias ${urlPrefix}/dist ${distsDir} AllowOverride None Options Indexes FollowSymLinks Order allow,deny Allow from all IndexOptions +SuppressDescription +NameWidth=* IndexIgnore *.rev *.lock IndexStyleSheet ${urlPrefix}/style.css ${viewerConfig "dist"} ''; repomanConfig = '' ScriptAlias ${urlPrefix}/repoman ${scripts}/cgi-bin/repoman.pl ${commonAuth} Require valid-user Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ${config.userCreationDomain} ${commonAuth} Require valid-user ${commonAuth} Require valid-user Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ${config.userCreationDomain} ${commonAuth} Require valid-user ${viewerConfig "repoman/dump"} ''; staticFiles = substituteInSome { name = "svn-static-files"; src = /* pkgs.lib.cleanSource */ "${servicesPath}/subversion/root"; files = ["xsl/svnindex.xsl"]; inherit urlPrefix; }; staticFilesConfig = '' Alias ${urlPrefix}/svn-files ${staticFiles}/ Order allow,deny Allow from all ''; # !!! should be in Nixpkgs. substituteInSome = args: pkgs.stdenv.mkDerivation ({ buildCommand = '' ensureDir $out cp -prd $src/* $out chmod -R u+w $out for i in $files; do args= substituteAll $out/$i $out/$i done ''; } // args); # */ substituteInAll = args: pkgs.stdenv.mkDerivation ({ buildCommand = '' ensureDir $out cp -prd $src/* $out chmod -R u+w $out find $out -type f -print | while read fn; do args= substituteAll $fn $fn done eval "$postInstall" ''; } // args); # */ in { extraModulesPre = [ # Allow anonymous access to repositories that are world-readable # without prompting for a username/password. { name = "authn_noauth"; path = "${authModules}/modules/mod_authn_noauth.so"; } # Check whether the user is allowed read or write access to a # repository. { name = "authz_dyn"; path = "${authModules}/modules/mod_authz_dyn.so"; } ]; extraModules = [ { name = "python"; path = "${pkgs.mod_python}/modules/mod_python.so"; } { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; } { name = "dav_svn"; path = "${subversion}/modules/mod_dav_svn.so"; } ]; extraConfig = '' ${reposConfig "repos"} ${reposConfig "repos-xml"} SVNIndexXSLT "${urlPrefix}/svn-files/xsl/svnindex.xsl" ${viewvcConfig} ${websvnConfig} ${repomanConfig} ${distConfig} ${staticFilesConfig} ${if config.toplevelRedirect then '' DirectoryIndex repoman '' else ""} ''; robotsEntries = '' User-agent: * Disallow: ${urlPrefix}/viewcvs/ Disallow: ${urlPrefix}/viewvc/ Disallow: ${urlPrefix}/websvn/ Disallow: ${urlPrefix}/repos-xml/ ''; # mod_python's own Python modules must be in the initial Python # path, they cannot be set through the PythonPath directive. globalEnvVars = [ { name = "PYTHONPATH"; value = "${pkgs.mod_python}/lib/${pkgs.python.libPrefix}/site-packages"; } ]; extraServerPath = [ # Needed for ViewVC. "${pkgs.diffutils}/bin" "${pkgs.gnused}/bin" ]; extraPath = [scripts]; startupScript = "${scripts}/bin/svn-server-${idString}startup-hook.sh"; options = { id = mkOption { default = ""; example = "test"; description = " A unique identifier necessary to keep multiple Subversion server instances on the same machine apart. This is used to disambiguate the administrative scripts, which get names like svn-server--delete-repo.pl. In particular it keeps the post-commit hooks of different instances apart. "; }; urlPrefix = mkOption { default = "/subversion"; description = " The URL prefix under which the Subversion service appears. Use the empty string to have it appear in the server root. "; }; toplevelRedirect = mkOption { default = true; description = " Whether urlPrefix without any suffix (except a slash) should redirect to urlPrefix/repoman. "; }; notificationSender = mkOption { default = "svn-server@example.org"; example = "svn-server@example.org"; description = " The email address used in the Sender field of commit notification messages sent by the Subversion subservice. "; }; userCreationDomain = mkOption { default = "example.org"; example = "example.org"; description = " The domain from which user creation is allowed. A client can only create a new user account if its IP address resolves to this domain. "; }; autoVersioning = mkOption { default = false; description = " Whether you want the Subversion subservice to support auto-versioning, which enables Subversion repositories to be mounted as read/writable file systems on operating systems that support WebDAV. "; }; dataDir = mkOption { example = "/data/subversion"; description = " Path to the directory that holds the repositories, user database, etc. "; }; organisation = { name = mkOption { default = null; description = " Name of the organization hosting the Subversion service. "; }; url = mkOption { default = null; description = " URL of the website of the organization hosting the Subversion service. "; }; logo = mkOption { default = null; description = " Logo the organization hosting the Subversion service. "; }; }; }; }