3 files changed, 65 insertions, 1 deletions

diff --git a/modules/server/git/nixpkgs/default.nix b/modules/server/git/nixpkgs/default.nix
new file mode 100644
index 000000000000..8d550f192f7d
--- /dev/null
+++ b/modules/server/git/nixpkgs/default.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, ... }:
+
+let
+  inherit (pkgs) writeText;
+  toGitConfig = lib.generators.toINI { listsAsDuplicateKeys = true; };
+in
+
+{
+  users.groups.nixpkgs = {};
+
+  systemd.tmpfiles.rules = [
+    "L+ /var/lib/git/nixpkgs.git/HEAD - - - - refs/heads/master"
+    "L+ /var/lib/git/nixpkgs.git/config - - - - ${writeText "config" (toGitConfig {
+      core.repositoryformatversion = 0;
+      core.filemode = true;
+      core.bare = true;
+      core.sharedRepository = "world";
+      "remote \"origin\"" = {
+        url = "https://github.com/NixOS/nixpkgs";
+        fetch = [
+          "+refs/heads/master:refs/remotes/origin/master"
+          "+refs/heads/staging:refs/remotes/origin/staging"
+          "+refs/heads/staging-*:refs/remotes/origin/staging-*"
+          "+refs/heads/nixos-*:refs/remotes/origin/nixos-*"
+          "+refs/heads/nixpkgs-unstable:refs/remotes/origin/nixpkgs-unstable"
+          "+refs/heads/nixpkgs-*-darwin:refs/remotes/origin/nixpkgs-*-darwin"
+          "+refs/heads/release-*:refs/remotes/origin/release-*"
+        ];
+      };
+    })}"
+    "d /var/lib/git/nixpkgs.git 2775 - nixpkgs"
+    "d /var/lib/git/nixpkgs.git/refs 2775 - nixpkgs"
+    "d /var/lib/git/nixpkgs.git/objects 2775 - nixpkgs"
+    "d /var/lib/git/nixpkgs.git/objects/pack 2775 - nixpkgs"
+  ];
+}
diff --git a/modules/server/nixpk.gs/default.nix b/modules/server/nixpk.gs/default.nix
index a0498dd3f73f..7ed0e4b4f7d4 100644
--- a/modules/server/nixpk.gs/default.nix
+++ b/modules/server/nixpk.gs/default.nix
@@ -1,5 +1,5 @@
 { ... }:
 
 {
-  imports = [ ./acme ./nginx ];
+  imports = [ ./acme ./nginx ./pr-tracker ];
 }
diff --git a/modules/server/nixpk.gs/pr-tracker/default.nix b/modules/server/nixpk.gs/pr-tracker/default.nix
new file mode 100644
index 000000000000..e3b00c433455
--- /dev/null
+++ b/modules/server/nixpk.gs/pr-tracker/default.nix
@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+
+{
+  imports = [ ../../git/nixpkgs ];
+
+  services.nginx.virtualHosts."nixpk.gs".locations."/pr-tracker.html" = {
+    proxyPass = "http://unix:/run/pr-tracker.sock:/pr-tracker.html";
+    extraConfig = ''
+      proxy_http_version 1.1;
+    '';
+  };
+
+  systemd.services.pr-tracker = {
+    requires = [ "pr-tracker.socket" ];
+    serviceConfig.ExecStart = "${pkgs.pr-tracker}/bin/pr-tracker --path /var/lib/git/nixpkgs.git --remote origin --user-agent 'pr-tracker by alyssais' --source-url https://git.qyliss.net/pr-tracker --mount pr-tracker.html";
+    serviceConfig.StandardInput = "file:/etc/pr-tracker/token";
+    serviceConfig.DynamicUser = true;
+    serviceConfig.SupplementaryGroups = "nixpkgs";
+    serviceConfig.UMask = "0002";
+    serviceConfig.ReadWritePaths = "/var/lib/git/nixpkgs.git";
+  };
+
+  systemd.sockets.pr-tracker = {
+    wantedBy = [ "sockets.target" ];
+    before = [ "nginx.service" ];
+    socketConfig.ListenStream = "/run/pr-tracker.sock";
+  };
+}