[Backport release-24.05] nixos/gitlab: replace git package with bundled git

nixos/modules/services/misc/gitlab.nix

@@ -9,6 +9,8 @@ let
   toml = pkgs.formats.toml {};
   yaml = pkgs.formats.yaml {};
 
+  git = cfg.packages.gitaly.git;
+
   postgresqlPackage = if config.services.postgresql.enable then
                         config.services.postgresql.package
                       else
@@ -51,7 +53,7 @@ let
     prometheus_listen_addr = "localhost:9236"
 
     [git]
-    bin_path = "${pkgs.git}/bin/git"
+    bin_path = "${git}/bin/git"
 
     [gitlab-shell]
     dir = "${cfg.packages.gitlab-shell}"
@@ -184,16 +186,15 @@ let
     MALLOC_ARENA_MAX = "2";
   } // cfg.extraEnv;
 
-  runtimeDeps = with pkgs; [
+  runtimeDeps = [ git ] ++ (with pkgs; [
     nodejs
     gzip
-    git
     gnutar
     postgresqlPackage
     coreutils
     procps
     findutils # Needed for gitlab:cleanup:orphan_job_artifact_files
-  ];
+  ]);
 
   gitlab-rake = pkgs.stdenv.mkDerivation {
     name = "gitlab-rake";
@@ -1295,12 +1296,11 @@ in {
     systemd.services.gitlab-config = {
       wantedBy = [ "gitlab.target" ];
       partOf = [ "gitlab.target" ];
-      path = with pkgs; [
+      path = [ git ] ++ (with pkgs; [
         jq
         openssl
         replace-secret
-        git
-      ];
+      ]);
       serviceConfig = {
         Type = "oneshot";
         User = cfg.user;
@@ -1458,9 +1458,8 @@ in {
         SIDEKIQ_MEMORY_KILLER_GRACE_TIME = cfg.sidekiq.memoryKiller.graceTime;
         SIDEKIQ_MEMORY_KILLER_SHUTDOWN_WAIT = cfg.sidekiq.memoryKiller.shutdownWait;
       });
-      path = with pkgs; [
+      path = [ git ] ++ (with pkgs; [
         postgresqlPackage
-        git
         ruby
         openssh
         nodejs
@@ -1473,7 +1472,7 @@ in {
         gzip
 
         procps # Sidekiq MemoryKiller
-      ];
+      ]);
       serviceConfig = {
         Type = "simple";
         User = cfg.user;
@@ -1500,12 +1499,11 @@ in {
       bindsTo = [ "gitlab-config.service" ];
       wantedBy = [ "gitlab.target" ];
       partOf = [ "gitlab.target" ];
-      path = with pkgs; [
+      path = [ git ] ++ (with pkgs; [
         openssh
-        git
         gzip
         bzip2
-      ];
+      ]);
       serviceConfig = {
         Type = "simple";
         User = cfg.user;
@@ -1582,15 +1580,15 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "gitlab.target" ];
       partOf = [ "gitlab.target" ];
-      path = with pkgs; [
+      path = [ git ] ++ (with pkgs; [
         remarshal
         exiftool
         git
         gnutar
         gzip
         openssh
         cfg.packages.gitlab-workhorse
-      ];
+      ]);
       serviceConfig = {
         Type = "simple";
         User = cfg.user;
@@ -1658,15 +1656,14 @@ in {
       requiredBy = [ "gitlab.target" ];
       partOf = [ "gitlab.target" ];
       environment = gitlabEnv;
-      path = with pkgs; [
+      path = [ git ] ++ (with pkgs; [
         postgresqlPackage
-        git
         openssh
         nodejs
         procps
         gnupg
         gzip
-      ];
+      ]);
       serviceConfig = {
         Type = "notify";
         User = cfg.user;

nixos/tests/gitlab.nix

@@ -34,6 +34,8 @@ in {
     gitlab = { ... }: {
       imports = [ common/user-account.nix ];
 
+      environment.systemPackages = with pkgs; [ git ];
+
       virtualisation.memorySize = 6144;
       virtualisation.cores = 4;
       virtualisation.useNixStoreImage = true;

pkgs/applications/version-management/gitlab/gitaly/default.nix

@@ -1,4 +1,5 @@
 { lib
+, callPackage
 , fetchFromGitLab
 , fetchFromGitHub
 , buildGoModule
@@ -10,6 +11,8 @@ let
   package_version = "v${lib.versions.major version}";
   gitaly_package = "gitlab.com/gitlab-org/gitaly/${package_version}";
 
+  git = callPackage ./git.nix { };
+
   commonOpts = {
     inherit version;
 
@@ -27,8 +30,6 @@ let
 
     tags = [ "static" ];
 
-    nativeBuildInputs = [ pkg-config ];
-
     doCheck = false;
   };
 
@@ -50,6 +51,10 @@ buildGoModule ({
 
   outputs = [ "out" ];
 
+  passthru = {
+    inherit git;
+  };
+
   meta = with lib; {
     homepage = "https://gitlab.com/gitlab-org/gitaly";
     description = "A Git RPC service for handling all the git calls made by GitLab";

pkgs/applications/version-management/gitlab/gitaly/git.nix

@@ -0,0 +1,57 @@
+{ stdenv
+, lib
+, gitaly
+, fetchFromGitLab
+, curl
+, pcre2
+, zlib
+}:
+
+stdenv.mkDerivation rec {
+  pname = "gitaly-git";
+  version = "2.44.1.gl1";
+
+  # `src` attribute for nix-update
+  src = fetchFromGitLab {
+    owner = "gitlab-org";
+    repo = "git";
+    rev = "v${version}";
+    hash = "sha256-1XtzM2dYbt3nsYOm5isgHnolfziyIC9yCTkfLJ95V6Y=";
+  };
+
+  # we actually use the gitaly build system
+  unpackPhase = ''
+    cp -r ${gitaly.src} source
+    chmod -R +w source
+
+    mkdir -p source/_build/deps
+
+    cp -r ${src} source/_build/deps/git-distribution
+    chmod -R +w source/_build/deps/git-distribution
+
+    # FIXME? maybe just patch the makefile?
+    echo -n 'v${version} DEVELOPER=1 DEVOPTS=no-error USE_LIBPCRE=YesPlease NO_PERL=YesPlease NO_EXPAT=YesPlease NO_TCLTK=YesPlease NO_GETTEXT=YesPlease NO_PYTHON=YesPlease' > source/_build/deps/git-distribution.version
+    echo -n 'v${version}' > source/_build/deps/git-distribution/version
+  '';
+  sourceRoot = "source";
+
+  buildFlags = [ "git" ];
+
+  buildInputs = [
+    curl
+    pcre2
+    zlib
+  ];
+
+  # The build phase already installs it all
+  GIT_PREFIX = placeholder "out";
+  dontInstall = true;
+
+  meta = {
+    homepage = "https://git-scm.com/";
+    description = "Distributed version control system - with Gitaly patches";
+    license = lib.licenses.gpl2Only;
+    platforms = lib.platforms.all;
+    maintainers = lib.teams.gitlab.members;
+  };
+}

pkgs/applications/version-management/gitlab/update.py

@@ -251,8 +251,16 @@ def update_gitaly():
     logger.info("Updating gitaly")
     data = _get_data_json()
     gitaly_server_version = data['passthru']['GITALY_SERVER_VERSION']
+    repo = GitLabRepo(repo="gitaly")
+    gitaly_dir = pathlib.Path(__file__).parent / 'gitaly'
+
+    makefile = repo.get_file("Makefile", f"v{gitaly_server_version}")
+    makefile += "\nprint-%:;@echo $($*)\n"
+
+    git_version = subprocess.run(["make", "-f", "-", "print-GIT_VERSION"], check=True, input=makefile, text=True, capture_output=True).stdout.strip()
 
     _call_nix_update("gitaly", gitaly_server_version)
+    _call_nix_update("gitaly.git", git_version)
 
 
 @cli.command("update-gitlab-pages")