From fe82080cb6b38e3100b08308d48bd78220c9ec3c Mon Sep 17 00:00:00 2001
From: Martin Fischer <martin@push-f.com>
Date: Thu, 25 Dec 2025 20:10:39 +0100
Subject: refactor: split git module into gitWeb and gitolite

---
 nixos/hosts/tente/default.nix  | 15 ++++++--
 nixos/hosts/tente/git-web.nix  | 68 +++++++++++++++++++++++++++++++++++
 nixos/hosts/tente/git.nix      | 81 ------------------------------------------
 nixos/hosts/tente/gitolite.nix | 29 +++++++++++++++
 4 files changed, 109 insertions(+), 84 deletions(-)
 create mode 100644 nixos/hosts/tente/git-web.nix
 delete mode 100644 nixos/hosts/tente/git.nix
 create mode 100644 nixos/hosts/tente/gitolite.nix

(limited to 'nixos/hosts')

diff --git a/nixos/hosts/tente/default.nix b/nixos/hosts/tente/default.nix
index 30fa111..8d2f4f3 100644
--- a/nixos/hosts/tente/default.nix
+++ b/nixos/hosts/tente/default.nix
@@ -25,7 +25,8 @@ in
     <top/shared/monitoring.nix>
     <top/shared/restic-database-backups.nix>
     ./web-personal.nix
-    ./git.nix
+    ./git-web.nix
+    ./gitolite.nix
     ./headscale.nix
     ./matrix.nix
     ./exporters.nix
@@ -39,8 +40,16 @@ in
 
   web-personal.domain = baseDomain;
   web-personal.matrixApiDomain = config.matrix.apiDomain;
-  git.gitoliteDataDir = gitoliteDataDir;
-  git.webUiDomain = "git.${baseDomain}";
+  gitolite.dataDir = gitoliteDataDir;
+  gitWeb = {
+    domain = "git.${baseDomain}";
+    reposDir = reposDir;
+    # TODO: cgit shouldn't have write access to repositories
+    # running as the gitolite user because otherwise cloning a repo via cgit fails with:
+    #   fatal: detected dubious ownership in repository
+    user = config.services.gitolite.user;
+    group = config.services.gitolite.group;
+  };
   headscale.domain = "tailscale.${baseDomain}";
   matrix.serverName = baseDomain;
   matrix.apiDomain = "matrix.${baseDomain}";
diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix
new file mode 100644
index 0000000..343a5fc
--- /dev/null
+++ b/nixos/hosts/tente/git-web.nix
@@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.gitWeb;
+  helpers = import <top/helpers.nix> { inherit config lib pkgs; };
+in
+{
+  options.gitWeb = {
+    domain = lib.mkOption {
+      type = lib.types.str;
+    };
+    reposDir = lib.mkOption {
+      type = lib.types.str;
+    };
+    user = lib.mkOption {
+      type = lib.types.str;
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config = {
+    services.nginx.virtualHosts.${cfg.domain} = {
+      enableACME = true;
+      forceSSL = true;
+      extraConfig = helpers.mkNginxConfig cfg.domain;
+    };
+
+    services.cgit.main = {
+      enable = true;
+      package = pkgs.runCommand "cgit-with-extended-robots-txt" {} ''
+        cp -r ${pkgs.cgit} $out
+        robots_txt=$out/cgit/robots.txt
+        chmod u+w $robots_txt
+        echo >> $robots_txt
+        cat ${./bad-bots.txt} >> $robots_txt
+      '';
+
+      user = cfg.user;
+      group = cfg.group;
+      nginx.virtualHost = cfg.domain;
+      scanPath = cfg.reposDir;
+      settings = {
+        remove-suffix = 1;
+        enable-git-config = 1;
+        root-title = "push-f.com repositories";
+        root-desc = "My various repositories.";
+        readme = ":README.md";
+        about-filter =
+          # about-formatting.sh from cgit uses python-markdown which doesn't
+          # follow CommonMark, so we're using the lowdown parser instead.
+          let
+            # The about-filter is invoked with stdin but also with the filename
+            # as argv[1] so we wrap lowdown in a script to ignore the argument.
+            formatScript = pkgs.writeScriptBin "about-format.sh" ''
+              #!/bin/sh
+              ${pkgs.lowdown}/bin/lowdown
+            '';
+          in
+          "${formatScript}/bin/about-format.sh";
+        enable-index-owner = 0;
+        source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+        clone-prefix = "https://${cfg.domain}";
+      };
+    };
+  };
+}
diff --git a/nixos/hosts/tente/git.nix b/nixos/hosts/tente/git.nix
deleted file mode 100644
index d5688cd..0000000
--- a/nixos/hosts/tente/git.nix
+++ /dev/null
@@ -1,81 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.git;
-  helpers = import <top/helpers.nix> { inherit config lib pkgs; };
-in
-{
-  options.git = {
-    webUiDomain = lib.mkOption {
-      type = lib.types.str;
-    };
-    gitoliteDataDir = lib.mkOption {
-      type = lib.types.str;
-    };
-  };
-
-  config = {
-    services = {
-      gitolite = {
-        enable = true;
-        adminPubkey = ""; # TODO: submit PR to nixpkgs to make this option optional
-        user = "git";
-        group = "git";
-        dataDir = cfg.gitoliteDataDir;
-        extraGitoliteRc = ''
-          $RC{UMASK} = 0027;
-          $RC{GIT_CONFIG_KEYS} = 'cgit.* gitweb.*';
-
-          # not working for some reason? still getting `FATAL: git config 'gitweb.description' not allowed` if gitweb.* is omitted in GIT_CONFIG_KEYS
-          # push( @{$RC{ENABLE}}, 'cgit' ); # update description files instead of gitweb.description config
-        '';
-      };
-
-      nginx.virtualHosts.${cfg.webUiDomain} = {
-        enableACME = true;
-        forceSSL = true;
-        extraConfig = helpers.mkNginxConfig cfg.webUiDomain;
-      };
-
-      cgit.main = {
-        enable = true;
-        package = pkgs.runCommand "cgit-with-extended-robots-txt" {} ''
-          cp -r ${pkgs.cgit} $out
-          robots_txt=$out/cgit/robots.txt
-          chmod u+w $robots_txt
-          echo >> $robots_txt
-          cat ${./bad-bots.txt} >> $robots_txt
-        '';
-
-        # running as the gitolite user because otherwise cloning a repo via cgit fails with:
-        #   fatal: detected dubious ownership in repository
-        user = config.services.gitolite.user;
-        group = config.services.gitolite.group;
-        nginx.virtualHost = cfg.webUiDomain;
-        scanPath = "${cfg.gitoliteDataDir}/repositories";
-        settings = {
-          remove-suffix = 1;
-          enable-git-config = 1;
-          root-title = "push-f.com repositories";
-          root-desc = "My various repositories.";
-          readme = ":README.md";
-          about-filter =
-            # about-formatting.sh from cgit uses python-markdown which doesn't
-            # follow CommonMark, so we're using the lowdown parser instead.
-            let
-              # The about-filter is invoked with stdin but also with the filename
-              # as argv[1] so we wrap lowdown in a script to ignore the argument.
-              formatScript = pkgs.writeScriptBin "about-format.sh" ''
-                #!/bin/sh
-                ${pkgs.lowdown}/bin/lowdown
-              '';
-            in
-            "${formatScript}/bin/about-format.sh";
-          enable-index-owner = 0;
-          source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
-          clone-prefix = "https://${cfg.webUiDomain}";
-        };
-      };
-    };
-  };
-}
diff --git a/nixos/hosts/tente/gitolite.nix b/nixos/hosts/tente/gitolite.nix
new file mode 100644
index 0000000..c9a7fae
--- /dev/null
+++ b/nixos/hosts/tente/gitolite.nix
@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.gitolite;
+in
+{
+  options.gitolite = {
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config = {
+    services.gitolite = {
+      enable = true;
+      adminPubkey = ""; # TODO: submit PR to nixpkgs to make this option optional
+      user = "git";
+      group = "git";
+      dataDir = cfg.dataDir;
+      extraGitoliteRc = ''
+        $RC{UMASK} = 0027;
+        $RC{GIT_CONFIG_KEYS} = 'cgit.* gitweb.*';
+
+        # not working for some reason? still getting `FATAL: git config 'gitweb.description' not allowed` if gitweb.* is omitted in GIT_CONFIG_KEYS
+        # push( @{$RC{ENABLE}}, 'cgit' ); # update description files instead of gitweb.description config
+      '';
+    };
+  };
+}
-- 
cgit v1.3.1