{ config, lib, pkgs, ... }: let cfg = config.gitWeb; helpers = import { inherit config lib pkgs; }; in { options.gitWeb = { domain = lib.mkOption { type = lib.types.str; }; reposDir = lib.mkOption { type = lib.types.str; }; user = lib.mkOption { type = lib.types.str; }; group = lib.mkOption { type = lib.types.str; }; }; config = { services.nginx.virtualHosts.${cfg.domain} = { enableACME = true; forceSSL = true; extraConfig = helpers.mkNginxConfig cfg.domain; }; services.cgit.main = { enable = true; package = pkgs.runCommand "cgit-with-extended-robots-txt" {} '' cp -r ${pkgs.cgit} $out robots_txt=$out/cgit/robots.txt chmod u+w $robots_txt echo >> $robots_txt cat ${./bad-bots.txt} >> $robots_txt ''; user = cfg.user; group = cfg.group; nginx.virtualHost = cfg.domain; scanPath = cfg.reposDir; gitHttpBackend.checkExportOkFiles = true; settings = { strict-export = "git-daemon-export-ok"; remove-suffix = 1; enable-git-config = 1; root-title = "push-f.com repositories"; root-desc = "My various repositories."; readme = ":README.md"; about-filter = # about-formatting.sh from cgit uses python-markdown which doesn't # follow CommonMark, so we're using the lowdown parser instead. let # The about-filter is invoked with stdin but also with the filename # as argv[1] so we wrap lowdown in a script to ignore the argument. formatScript = pkgs.writeScriptBin "about-format.sh" '' #!/bin/sh ${pkgs.lowdown}/bin/lowdown ''; in "${formatScript}/bin/about-format.sh"; enable-index-owner = 0; source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; clone-prefix = "https://${cfg.domain}"; }; }; # The cgit module uses git-http-backend which aborts by default if the repo isn't owned by the current user. # We're intentionally using different users so that cgit doesn't have write access. # We just have to tell git that the directories are "safe". environment.etc."gitconfig".text = '' [safe] directory = ${cfg.reposDir}/* ''; }; }