diff options
| author | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2026-01-09 11:58:31 +1100 |
|---|---|---|
| committer | Kj Tsanaktsidis <kjtsanaktsidis@groq.com> | 2026-01-09 11:58:31 +1100 |
| commit | 98e94297af73c583c9636c99772b2c1c34f98743 (patch) | |
| tree | 1ac244e55b6d544d556b2327308d07708350e824 /modules/cgit.nix | |
| parent | f5686b8e377ce3ecbf617783b4f2398423cb19fd (diff) | |
some refactor
Diffstat (limited to 'modules/cgit.nix')
| -rw-r--r-- | modules/cgit.nix | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/modules/cgit.nix b/modules/cgit.nix new file mode 100644 index 0000000..34fa377 --- /dev/null +++ b/modules/cgit.nix @@ -0,0 +1,74 @@ +{ + pkgs, + ... +}: +{ + nixpkgs.overlays = [ + (import ../overlays/git-fix) + ]; + + users.users.git = { + isSystemUser = true; + group = "git"; + home = "/var/lib/git"; + createHome = false; # tmpfiles creates it + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS77sno1zVa6uO+2wCbBK489snNIp3uvymca2cHX/33 kjtsanaktsidis@labsrv01" + ]; + }; + users.groups.git = { }; + systemd.tmpfiles.rules = [ + "d /var/lib/git 0755 git git -" + ]; + + services.openssh.extraConfig = '' + Match User git + PasswordAuthentication no + PubkeyAuthentication yes + X11Forwarding no + AllowTcpForwarding no + PermitTTY no + ''; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.fcgiwrap.instances."git-http" = { + socket.user = "nginx"; + socket.group = "nginx"; + process.user = "nginx"; + process.group = "nginx"; + socket.type = "unix"; + socket.address = "/run/fcgiwrap-git-http.sock"; + }; + services.nginx = { + enable = true; + virtualHosts."git.kjtsanaktsidis.id.au" = { + forceSSL = false; + enableACME = false; + locations = { + # Block HTTP pushes explicitly (receive-pack) + "~ ^/git/.+\\.git/git-receive-pack$" = { + return = "403"; + }; + + # Smart HTTP for clone/fetch + "~ ^/git(/.+\\.git)(/.*)?$" = { + extraConfig = '' + client_max_body_size 0; + + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.git}/libexec/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /var/lib/git; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param PATH_INFO $1$2; + fastcgi_param REMOTE_USER $remote_user; + + fastcgi_pass unix:/run/fcgiwrap-git-http.sock; + ''; + }; + }; + }; + }; +} |