aboutsummaryrefslogtreecommitdiff
path: root/nixos/hosts
diff options
context:
space:
mode:
authorMartin Fischer <martin@push-f.com>2025-12-29 15:25:29 +0100
committerMartin Fischer <martin@push-f.com>2025-12-29 19:36:32 +0100
commite0f0394327b954fca08815d94dda0710feaeed39 (patch)
tree7debaa0811d25e2dc816fe5cb0dc2c903b8346d5 /nixos/hosts
parent5d61f19ac636ce99a1291871e4ad3551edcb83df (diff)
fix(tente): disallow cloning of private repos
Diffstat (limited to 'nixos/hosts')
-rw-r--r--nixos/hosts/tente/cgit.nix3
-rw-r--r--nixos/hosts/tente/default.nix29
-rw-r--r--nixos/hosts/tente/git-web.nix16
3 files changed, 46 insertions, 2 deletions
diff --git a/nixos/hosts/tente/cgit.nix b/nixos/hosts/tente/cgit.nix
index 70ea678..f24c131 100644
--- a/nixos/hosts/tente/cgit.nix
+++ b/nixos/hosts/tente/cgit.nix
@@ -1,4 +1,4 @@
-# copied from nixpkgs
+# copied from nixpkgs to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend
{
config,
lib,
@@ -264,7 +264,6 @@ in
"~ ${regexLocation cfg}/.+/(info/refs|git-upload-pack)" = {
fastcgiParams = rec {
SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend";
- GIT_HTTP_EXPORT_ALL = "1";
GIT_PROJECT_ROOT = gitProjectRoot name cfg;
HOME = GIT_PROJECT_ROOT;
};
diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix
index 2ecfbcb..1c0e274 100644
--- a/nixos/hosts/tente/default.nix
+++ b/nixos/hosts/tente/default.nix
@@ -158,6 +158,35 @@ in
reposDir = reposDir;
user = "cgit";
group = "cgit";
+ publicRepos = [
+ "config"
+ "geopos.link"
+ "lex-surf"
+ "logformat"
+ "osm-proposals"
+ "rust-features"
+ "spec.pub"
+ "tastefejl"
+ "toml-patch"
+ "vdf"
+
+ # contrib
+ "inkstitch"
+
+ # archive
+ "dynamize"
+ "html5tokenizer"
+ "mw-code"
+ "mw-redirect-auth"
+ "mw-vote"
+ "osmwiki-overpass-import"
+ "pydoc.dev"
+ "quackmark"
+ "sputnik"
+ "tools"
+ "uris"
+ "webcat"
+ ];
};
services.geopos-share =
diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix
index 1c7ccf7..d994ebb 100644
--- a/nixos/hosts/tente/git-web.nix
+++ b/nixos/hosts/tente/git-web.nix
@@ -18,12 +18,27 @@ in
group = lib.mkOption {
type = lib.types.str;
};
+ publicRepos = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ };
};
+ # We're using a patched cgit module to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend.
+ # FUTURE: use official module once https://github.com/NixOS/nixpkgs/pull/475112 has landed
disabledModules = ["services/networking/cgit.nix"];
imports = [./cgit.nix];
config = {
+ systemd.tmpfiles.rules = [
+ "r ${cfg.reposDir}/*/git-daemon-export-ok"
+ ]
+ ++ (
+ let
+ exportRepo = repo: "f ${cfg.reposDir}/${repo}.git/git-daemon-export-ok 2770 root root -";
+ in
+ map exportRepo cfg.publicRepos
+ );
+
services.nginx.virtualHosts.${cfg.domain} = {
enableACME = true;
forceSSL = true;
@@ -45,6 +60,7 @@ in
nginx.virtualHost = cfg.domain;
scanPath = cfg.reposDir;
settings = {
+ strict-export = "git-daemon-export-ok";
remove-suffix = 1;
enable-git-config = 1;
root-title = "push-f.com repositories";