git patch

author: Kj Tsanaktsidis <kjtsanaktsidis@groq.com> 2026-01-08 22:32:05 +1100
committer: Kj Tsanaktsidis <kjtsanaktsidis@groq.com> 2026-01-08 22:32:05 +1100
commit: 5a7b30f6a325d21ab68044ff64a880273aff5da5 (patch)
tree: fd8e036b68c331d236ab585a5e51560c1c88f2d4
parent: f676608781d9464bce06554a87cf7cfce617b737 (diff)
5 files changed, 130 insertions, 12 deletions
diff --git a/flake.lock b/flake.lock
index aaf211d..50f4778 100644
--- a/flake.lock
+++ b/flake.lock
@@ -244,11 +244,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767619900,
-        "narHash": "sha256-KpoCBPvwHz3gAQtIUkohE2InRBFK3r0/FM6z5SPWfvM=",
+        "lastModified": 1767850628,
+        "narHash": "sha256-D3QzdIT11J66I4mzwmIpAGLzPAcbCS2VaKN8fmOe6+E=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6bd04da47cfb48dfd15eabf08364b78ad894f5b2",
+        "rev": "8c8a16d41353a174767c38b962359b51a56ca02e",
         "type": "github"
       },
       "original": {
@@ -440,11 +440,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1767634882,
-        "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=",
+        "lastModified": 1767799921,
+        "narHash": "sha256-r4GVX+FToWVE2My8VVZH4V0pTIpnu2ZE8/Z4uxGEMBE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c",
+        "rev": "d351d0653aeb7877273920cd3e823994e7579b0b",
         "type": "github"
       },
       "original": {
@@ -456,11 +456,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1767640445,
-        "narHash": "sha256-UWYqmD7JFBEDBHWYcqE6s6c77pWdcU/i+bwD6XxMb8A=",
+        "lastModified": 1767767207,
+        "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9f0c42f8bc7151b8e7e5840fb3bd454ad850d8c5",
+        "rev": "5912c1772a44e31bf1c63c0390b90501e5026886",
         "type": "github"
       },
       "original": {
@@ -547,11 +547,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767499857,
-        "narHash": "sha256-0zUU/PW09d6oBaR8x8vMHcAhg1MOvo3CwoXgHijzzNE=",
+        "lastModified": 1767826491,
+        "narHash": "sha256-WSBENPotD2MIhZwolL6GC9npqgaS5fkM7j07V2i/Ur8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "ecc41505948ec2ab0325f14c9862a4329c2b4190",
+        "rev": "ea3adcb6d2a000d9a69d0e23cad1f2cacb3a9fbe",
         "type": "github"
       },
       "original": {
diff --git a/labsrv01/cgit.nix b/labsrv01/cgit.nix
index 2976eb7..606357f 100644
--- a/labsrv01/cgit.nix
+++ b/labsrv01/cgit.nix
@@ -3,6 +3,10 @@
   ...
 }:
 {
+  # nixpkgs.overlays = [
+  #   (import ../overlays/git-fix)
+  # ];
+
   users.users.git = {
     isSystemUser = true;
     group = "git";
@@ -19,4 +23,52 @@
   systemd.tmpfiles.rules = [
     "d /var/lib/git 0755 git git -"
   ];
+
+  services.openssh.extraConfig = ''
+    Match User git
+      PasswordAuthentication no
+      PubkeyAuthentication yes
+      X11Forwarding no
+      AllowTcpForwarding no
+      PermitTTY no
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.fcgiwrap.instances."git-http" = {
+    socket.user = "nginx";
+    socket.group = "nginx";
+    process.user = "nginx";
+    process.group = "nginx";
+    socket.type = "unix";
+    socket.address = "/run/fcgiwrap-git-http.sock";
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts."git.kjtsanaktsidis.id.au" = {
+      forceSSL = false;
+      enableACME = false;
+      locations = {
+        # Block HTTP pushes explicitly (receive-pack)
+        "~ ^/git/.+\\.git/git-receive-pack$" = {
+          return = "403";
+        };
+
+        # Smart HTTP for clone/fetch
+        "~ ^/git(/.+\\.git)(/.*)?$" = {
+          extraConfig = ''
+            client_max_body_size 0;
+
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME ${pkgs.git}/libexec/git-core/git-http-backend;
+            fastcgi_param GIT_PROJECT_ROOT /var/lib/git;
+            fastcgi_param GIT_HTTP_EXPORT_ALL "";
+            fastcgi_param PATH_INFO $1$2;
+            fastcgi_param REMOTE_USER $remote_user;
+
+            fastcgi_pass unix:/run/fcgiwrap-git-http.sock;
+          '';
+        };
+      };
+    };
+  };
 }
diff --git a/labsrv01/network.nix b/labsrv01/network.nix
index 27ee2d2..49dd881 100644
--- a/labsrv01/network.nix
+++ b/labsrv01/network.nix
@@ -23,6 +23,11 @@
       networkConfig = {
         DHCP = "yes";
         MulticastDNS = "yes";
+        IPv6AcceptRA = "yes";
+        IPv6PrivacyExtensions = "no";
+      };
+      ipv6AcceptRAConfig = {
+        Token = "stable";
       };
     };
     networks."10-wlp3s0" = {
diff --git a/overlays/git-fix/0001-http-backend-write-newlines-to-stderr-when-respondin.patch b/overlays/git-fix/0001-http-backend-write-newlines-to-stderr-when-respondin.patch
new file mode 100644
index 0000000..9aa9687
--- /dev/null
+++ b/overlays/git-fix/0001-http-backend-write-newlines-to-stderr-when-respondin.patch
@@ -0,0 +1,54 @@
+From fa18fa7967333ccde36f9347722a66f44b746f25 Mon Sep 17 00:00:00 2001
+From: KJ Tsanaktsidis <kjtsanaktsidis@groq.com>
+Date: Thu, 8 Jan 2026 02:52:48 -0800
+Subject: [PATCH] http-backend: write newlines to stderr when responding with
+ errors
+
+The not_found and forbidden methods currently do not write a newline to
+stderr after the error message. This means that if git-http-backend is
+invoked through something like fcgiwrap, and the stderr of that fcgiwrap
+process is sent to a logging daemon (e.g. journald), the error messages
+of several git-http-backend invocations will just get strung together,
+e.g.
+
+> Not a git repository: '/var/lib/git/foo.git'Not a git repository: '/var/lib/git/foo.git'Not a git repository: '/var/lib/git/foo.git'
+
+I think it's git-http-backend's responsibility to format these messages
+properly, rather than it being fcgiwrap's job to notice that the script
+didn't terminate stderr with a newline and do so itself.
+
+Signed-off-by: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>
+---
+ http-backend.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/http-backend.c b/http-backend.c
+index 52f0483dd3..bda8bb91e1 100644
+--- a/http-backend.c
++++ b/http-backend.c
+@@ -143,8 +143,10 @@ static NORETURN void not_found(struct strbuf *hdr, const char *err, ...)
+ 	end_headers(hdr);
+
+ 	va_start(params, err);
+-	if (err && *err)
++	if (err && *err) {
+ 		vfprintf(stderr, err, params);
++		fprintf(stderr, "\n");
++	}
+ 	va_end(params);
+ 	exit(0);
+ }
+@@ -159,8 +161,10 @@ static NORETURN void forbidden(struct strbuf *hdr, const char *err, ...)
+ 	end_headers(hdr);
+
+ 	va_start(params, err);
+-	if (err && *err)
++	if (err && *err) {
+ 		vfprintf(stderr, err, params);
++		fprintf(stderr, "\n");
++	}
+ 	va_end(params);
+ 	exit(0);
+ }
+--
+2.50.1
diff --git a/overlays/git-fix/default.nix b/overlays/git-fix/default.nix
new file mode 100644
index 0000000..808c55e
--- /dev/null
+++ b/overlays/git-fix/default.nix
@@ -0,0 +1,7 @@
+final: prev: {
+  git = prev.git.overrideAttrs (old: {
+    patches = (old.patches or []) ++ [
+      ./0001-http-backend-write-newlines-to-stderr-when-respondin.patch
+    ];
+  });
+}
author	Kj Tsanaktsidis <kjtsanaktsidis@groq.com>	2026-01-08 22:32:05 +1100
committer	Kj Tsanaktsidis <kjtsanaktsidis@groq.com>	2026-01-08 22:32:05 +1100
commit	5a7b30f6a325d21ab68044ff64a880273aff5da5 (patch)
tree	fd8e036b68c331d236ab585a5e51560c1c88f2d4
parent	f676608781d9464bce06554a87cf7cfce617b737 (diff)