diff options
Diffstat (limited to 'labsrv01/cgit.nix')
| -rw-r--r-- | labsrv01/cgit.nix | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/labsrv01/cgit.nix b/labsrv01/cgit.nix index 2976eb7..606357f 100644 --- a/labsrv01/cgit.nix +++ b/labsrv01/cgit.nix @@ -3,6 +3,10 @@ ... }: { + # nixpkgs.overlays = [ + # (import ../overlays/git-fix) + # ]; + users.users.git = { isSystemUser = true; group = "git"; @@ -19,4 +23,52 @@ systemd.tmpfiles.rules = [ "d /var/lib/git 0755 git git -" ]; + + services.openssh.extraConfig = '' + Match User git + PasswordAuthentication no + PubkeyAuthentication yes + X11Forwarding no + AllowTcpForwarding no + PermitTTY no + ''; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.fcgiwrap.instances."git-http" = { + socket.user = "nginx"; + socket.group = "nginx"; + process.user = "nginx"; + process.group = "nginx"; + socket.type = "unix"; + socket.address = "/run/fcgiwrap-git-http.sock"; + }; + services.nginx = { + enable = true; + virtualHosts."git.kjtsanaktsidis.id.au" = { + forceSSL = false; + enableACME = false; + locations = { + # Block HTTP pushes explicitly (receive-pack) + "~ ^/git/.+\\.git/git-receive-pack$" = { + return = "403"; + }; + + # Smart HTTP for clone/fetch + "~ ^/git(/.+\\.git)(/.*)?$" = { + extraConfig = '' + client_max_body_size 0; + + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.git}/libexec/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /var/lib/git; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param PATH_INFO $1$2; + fastcgi_param REMOTE_USER $remote_user; + + fastcgi_pass unix:/run/fcgiwrap-git-http.sock; + ''; + }; + }; + }; + }; } |