diff options
| author | Martin Fischer <martin@push-f.com> | 2025-12-29 15:25:29 +0100 |
|---|---|---|
| committer | Martin Fischer <martin@push-f.com> | 2025-12-30 08:05:45 +0100 |
| commit | ff54a7db95fddf578658f6cb1896d5910ff053b1 (patch) | |
| tree | 10a93151f0f10a7ac50e95746ace2d84d229d252 /nixos/hosts/tente | |
| parent | 5d61f19ac636ce99a1291871e4ad3551edcb83df (diff) | |
fix(tente): disallow cloning of private repos
Diffstat (limited to 'nixos/hosts/tente')
| -rw-r--r-- | nixos/hosts/tente/cgit.nix | 3 | ||||
| -rw-r--r-- | nixos/hosts/tente/git-web.nix | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/nixos/hosts/tente/cgit.nix b/nixos/hosts/tente/cgit.nix index 70ea678..f24c131 100644 --- a/nixos/hosts/tente/cgit.nix +++ b/nixos/hosts/tente/cgit.nix @@ -1,4 +1,4 @@ -# copied from nixpkgs +# copied from nixpkgs to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend { config, lib, @@ -264,7 +264,6 @@ in "~ ${regexLocation cfg}/.+/(info/refs|git-upload-pack)" = { fastcgiParams = rec { SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend"; - GIT_HTTP_EXPORT_ALL = "1"; GIT_PROJECT_ROOT = gitProjectRoot name cfg; HOME = GIT_PROJECT_ROOT; }; diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix index 1c7ccf7..b153b7f 100644 --- a/nixos/hosts/tente/git-web.nix +++ b/nixos/hosts/tente/git-web.nix @@ -20,6 +20,8 @@ in }; }; + # We're using a patched cgit module to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend. + # FUTURE: use official module once https://github.com/NixOS/nixpkgs/pull/475112 has landed disabledModules = ["services/networking/cgit.nix"]; imports = [./cgit.nix]; @@ -45,6 +47,7 @@ in nginx.virtualHost = cfg.domain; scanPath = cfg.reposDir; settings = { + strict-export = "git-daemon-export-ok"; remove-suffix = 1; enable-git-config = 1; root-title = "push-f.com repositories"; |
