From ff54a7db95fddf578658f6cb1896d5910ff053b1 Mon Sep 17 00:00:00 2001 From: Martin Fischer Date: Mon, 29 Dec 2025 15:25:29 +0100 Subject: fix(tente): disallow cloning of private repos --- nixos/hosts/tente/cgit.nix | 3 +-- nixos/hosts/tente/git-web.nix | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'nixos/hosts') diff --git a/nixos/hosts/tente/cgit.nix b/nixos/hosts/tente/cgit.nix index 70ea678..f24c131 100644 --- a/nixos/hosts/tente/cgit.nix +++ b/nixos/hosts/tente/cgit.nix @@ -1,4 +1,4 @@ -# copied from nixpkgs +# copied from nixpkgs to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend { config, lib, @@ -264,7 +264,6 @@ in "~ ${regexLocation cfg}/.+/(info/refs|git-upload-pack)" = { fastcgiParams = rec { SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend"; - GIT_HTTP_EXPORT_ALL = "1"; GIT_PROJECT_ROOT = gitProjectRoot name cfg; HOME = GIT_PROJECT_ROOT; }; diff --git a/nixos/hosts/tente/git-web.nix b/nixos/hosts/tente/git-web.nix index 1c7ccf7..b153b7f 100644 --- a/nixos/hosts/tente/git-web.nix +++ b/nixos/hosts/tente/git-web.nix @@ -20,6 +20,8 @@ in }; }; + # We're using a patched cgit module to remove GIT_HTTP_EXPORT_ALL=1 for git-http-backend. + # FUTURE: use official module once https://github.com/NixOS/nixpkgs/pull/475112 has landed disabledModules = ["services/networking/cgit.nix"]; imports = [./cgit.nix]; @@ -45,6 +47,7 @@ in nginx.virtualHost = cfg.domain; scanPath = cfg.reposDir; settings = { + strict-export = "git-daemon-export-ok"; remove-suffix = 1; enable-git-config = 1; root-title = "push-f.com repositories"; -- cgit v1.3.1