diff options
| author | Martin Fischer <martin@push-f.com> | 2025-12-29 15:25:29 +0100 |
|---|---|---|
| committer | Martin Fischer <martin@push-f.com> | 2025-12-29 19:36:32 +0100 |
| commit | e0f0394327b954fca08815d94dda0710feaeed39 (patch) | |
| tree | 7debaa0811d25e2dc816fe5cb0dc2c903b8346d5 /nixos | |
| parent | 5d61f19ac636ce99a1291871e4ad3551edcb83df (diff) | |
fix(tente): disallow cloning of private repos
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/hosts/tente/cgit.nix | 3 | ||||
| -rw-r--r-- | nixos/hosts/tente/default.nix | 29 | ||||
| -rw-r--r-- | nixos/hosts/tente/git-web.nix | 16 |
3 files changed, 46 insertions, 2 deletions
diff --git a/nixos/hosts/tente/cgit.nix b/nixos/hosts/tente/cgit.nix index 70ea678..f24c131 100644 --- a/nixos/hosts/tente/cgit.nix +++ b/nixos/hosts/tente/cgit.nix @@ -1,4 +1,4 @@ -# copied from nixpkgs +# copied from nixpkgs to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend { config, lib, @@ -264,7 +264,6 @@ in "~ ${regexLocation cfg}/.+/(info/refs|git-upload-pack)" = { fastcgiParams = rec { SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend"; - GIT_HTTP_EXPORT_ALL = "1"; GIT_PROJECT_ROOT = gitProjectRoot name cfg; HOME = GIT_PROJECT_ROOT; }; diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix index 2ecfbcb..1c0e274 100644 --- a/nixos/hosts/tente/default.nix +++ b/nixos/hosts/tente/default.nix @@ -158,6 +158,35 @@ in reposDir = reposDir; user = "cgit"; group = "cgit"; + publicRepos = [ + "config" + "geopos.link" + "lex-surf" + "logformat" + "osm-proposals" + "rust-features" + "spec.pub" + "tastefejl" + "toml-patch" + "vdf" + + # contrib + "inkstitch" + + # archive + "dynamize" + "html5tokenizer" + "mw-code" + "mw-redirect-auth" + "mw-vote" + "osmwiki-overpass-import" + "pydoc.dev" + "quackmark" + "sputnik" + "tools" + "uris" + "webcat" + ]; }; services.geopos-share = diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix index 1c7ccf7..d994ebb 100644 --- a/nixos/hosts/tente/git-web.nix +++ b/nixos/hosts/tente/git-web.nix @@ -18,12 +18,27 @@ in group = lib.mkOption { type = lib.types.str; }; + publicRepos = lib.mkOption { + type = lib.types.listOf lib.types.str; + }; }; + # We're using a patched cgit module to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend. + # FUTURE: use official module once https://github.com/NixOS/nixpkgs/pull/475112 has landed disabledModules = ["services/networking/cgit.nix"]; imports = [./cgit.nix]; config = { + systemd.tmpfiles.rules = [ + "r ${cfg.reposDir}/*/git-daemon-export-ok" + ] + ++ ( + let + exportRepo = repo: "f ${cfg.reposDir}/${repo}.git/git-daemon-export-ok 2770 root root -"; + in + map exportRepo cfg.publicRepos + ); + services.nginx.virtualHosts.${cfg.domain} = { enableACME = true; forceSSL = true; @@ -45,6 +60,7 @@ in nginx.virtualHost = cfg.domain; scanPath = cfg.reposDir; settings = { + strict-export = "git-daemon-export-ok"; remove-suffix = 1; enable-git-config = 1; root-title = "push-f.com repositories"; |
