diff options
| author | Martin Fischer <martin@push-f.com> | 2025-12-29 09:46:10 +0100 |
|---|---|---|
| committer | Martin Fischer <martin@push-f.com> | 2025-12-29 09:58:22 +0100 |
| commit | f4a46f3027e038143f70b3b8a43f515e2c64d7ed (patch) | |
| tree | 07b6b8b283655ae9735b93473395cdf68bbbc739 /nixos | |
| parent | 1ffc0fb9b1d5dfb6658665c13ad13b3378d43fe2 (diff) | |
fix(tente): revoke repo write access for cgit
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/hosts/tente/default.nix | 12 | ||||
| -rw-r--r-- | nixos/hosts/tente/git-web.nix | 8 |
2 files changed, 15 insertions, 5 deletions
diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix index ddfa89b..2ecfbcb 100644 --- a/nixos/hosts/tente/default.nix +++ b/nixos/hosts/tente/default.nix @@ -69,6 +69,11 @@ in ]; }; + cgit = { + isSystemUser = true; + extraGroups = ["git"]; + }; + nginx = { isSystemUser = true; extraGroups = [ @@ -151,11 +156,8 @@ in gitWeb = { domain = "git.${baseDomain}"; reposDir = reposDir; - # TODO: cgit shouldn't have write access to repositories - # running as the gitolite user because otherwise cloning a repo via cgit fails with: - # fatal: detected dubious ownership in repository - user = config.services.gitolite.user; - group = config.services.gitolite.group; + user = "cgit"; + group = "cgit"; }; services.geopos-share = diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix index 343a5fc..1288a45 100644 --- a/nixos/hosts/tente/git-web.nix +++ b/nixos/hosts/tente/git-web.nix @@ -64,5 +64,13 @@ in clone-prefix = "https://${cfg.domain}"; }; }; + + # cgit uses git for http clones and git aborts by default if the repo isn't owned by the current user. + # We're intentionally using different users so that cgit doesn't have write access. + # We just have to tell git that the directories are "safe". + environment.etc."gitconfig".text = '' + [safe] + directory = ${cfg.reposDir}/* + ''; }; } |
