{ pkgs, ... }: { # nixpkgs.overlays = [ # (import ../overlays/git-fix) # ]; users.users.git = { isSystemUser = true; group = "git"; home = "/var/lib/git"; createHome = false; # tmpfiles creates it shell = "${pkgs.git}/bin/git-shell"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS77sno1zVa6uO+2wCbBK489snNIp3uvymca2cHX/33 kjtsanaktsidis@labsrv01" ]; }; users.groups.git = { }; systemd.tmpfiles.rules = [ "d /var/lib/git 0755 git git -" ]; services.openssh.extraConfig = '' Match User git PasswordAuthentication no PubkeyAuthentication yes X11Forwarding no AllowTcpForwarding no PermitTTY no ''; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.fcgiwrap.instances."git-http" = { socket.user = "nginx"; socket.group = "nginx"; process.user = "nginx"; process.group = "nginx"; socket.type = "unix"; socket.address = "/run/fcgiwrap-git-http.sock"; }; services.nginx = { enable = true; virtualHosts."git.kjtsanaktsidis.id.au" = { forceSSL = false; enableACME = false; locations = { # Block HTTP pushes explicitly (receive-pack) "~ ^/git/.+\\.git/git-receive-pack$" = { return = "403"; }; # Smart HTTP for clone/fetch "~ ^/git(/.+\\.git)(/.*)?$" = { extraConfig = '' client_max_body_size 0; include ${pkgs.nginx}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME ${pkgs.git}/libexec/git-core/git-http-backend; fastcgi_param GIT_PROJECT_ROOT /var/lib/git; fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param PATH_INFO $1$2; fastcgi_param REMOTE_USER $remote_user; fastcgi_pass unix:/run/fcgiwrap-git-http.sock; ''; }; }; }; }; }