aboutsummaryrefslogtreecommitdiff
path: root/nixos/hosts/tente
diff options
context:
space:
mode:
authorMartin Fischer <martin@push-f.com>2025-12-29 15:25:29 +0100
committerMartin Fischer <martin@push-f.com>2025-12-30 08:05:45 +0100
commitff54a7db95fddf578658f6cb1896d5910ff053b1 (patch)
tree10a93151f0f10a7ac50e95746ace2d84d229d252 /nixos/hosts/tente
parent5d61f19ac636ce99a1291871e4ad3551edcb83df (diff)
fix(tente): disallow cloning of private repos
Diffstat (limited to 'nixos/hosts/tente')
-rw-r--r--nixos/hosts/tente/cgit.nix3
-rw-r--r--nixos/hosts/tente/git-web.nix3
2 files changed, 4 insertions, 2 deletions
diff --git a/nixos/hosts/tente/cgit.nix b/nixos/hosts/tente/cgit.nix
index 70ea678..f24c131 100644
--- a/nixos/hosts/tente/cgit.nix
+++ b/nixos/hosts/tente/cgit.nix
@@ -1,4 +1,4 @@
-# copied from nixpkgs
+# copied from nixpkgs to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend
{
config,
lib,
@@ -264,7 +264,6 @@ in
"~ ${regexLocation cfg}/.+/(info/refs|git-upload-pack)" = {
fastcgiParams = rec {
SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend";
- GIT_HTTP_EXPORT_ALL = "1";
GIT_PROJECT_ROOT = gitProjectRoot name cfg;
HOME = GIT_PROJECT_ROOT;
};
diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix
index 1c7ccf7..b153b7f 100644
--- a/nixos/hosts/tente/git-web.nix
+++ b/nixos/hosts/tente/git-web.nix
@@ -20,6 +20,8 @@ in
};
};
+ # We're using a patched cgit module to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend.
+ # FUTURE: use official module once https://github.com/NixOS/nixpkgs/pull/475112 has landed
disabledModules = ["services/networking/cgit.nix"];
imports = [./cgit.nix];
@@ -45,6 +47,7 @@ in
nginx.virtualHost = cfg.domain;
scanPath = cfg.reposDir;
settings = {
+ strict-export = "git-daemon-export-ok";
remove-suffix = 1;
enable-git-config = 1;
root-title = "push-f.com repositories";