aboutsummaryrefslogtreecommitdiff
path: root/nixos/hosts
diff options
context:
space:
mode:
authorMartin Fischer <martin@push-f.com>2025-12-29 09:46:10 +0100
committerMartin Fischer <martin@push-f.com>2025-12-29 19:35:25 +0100
commit928cf7b7f979270f270f315e0e2f17702c870d88 (patch)
tree045c5848cd8bd0916ac581fcc29260a30b516119 /nixos/hosts
parent1ffc0fb9b1d5dfb6658665c13ad13b3378d43fe2 (diff)
fix(tente): revoke repo write access for cgit
Diffstat (limited to 'nixos/hosts')
-rw-r--r--nixos/hosts/tente/default.nix12
-rw-r--r--nixos/hosts/tente/git-web.nix8
2 files changed, 15 insertions, 5 deletions
diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix
index ddfa89b..2ecfbcb 100644
--- a/nixos/hosts/tente/default.nix
+++ b/nixos/hosts/tente/default.nix
@@ -69,6 +69,11 @@ in
];
};
+ cgit = {
+ isSystemUser = true;
+ extraGroups = ["git"];
+ };
+
nginx = {
isSystemUser = true;
extraGroups = [
@@ -151,11 +156,8 @@ in
gitWeb = {
domain = "git.${baseDomain}";
reposDir = reposDir;
- # TODO: cgit shouldn't have write access to repositories
- # running as the gitolite user because otherwise cloning a repo via cgit fails with:
- # fatal: detected dubious ownership in repository
- user = config.services.gitolite.user;
- group = config.services.gitolite.group;
+ user = "cgit";
+ group = "cgit";
};
services.geopos-share =
diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix
index 343a5fc..122157a 100644
--- a/nixos/hosts/tente/git-web.nix
+++ b/nixos/hosts/tente/git-web.nix
@@ -64,5 +64,13 @@ in
clone-prefix = "https://${cfg.domain}";
};
};
+
+ # The cgit module uses git-http-backend which aborts by default if the repo isn't owned by the current user.
+ # We're intentionally using different users so that cgit doesn't have write access.
+ # We just have to tell git that the directories are "safe".
+ environment.etc."gitconfig".text = ''
+ [safe]
+ directory = ${cfg.reposDir}/*
+ '';
};
}