modules/cgit: Stop exposing all repositories as http clones HEAD main

This feature has recently been added to nixpkgs to fix the security vulnerability.
author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2026-02-15 14:20:56 +0100
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2026-02-15 14:20:56 +0100
commit: 843777c20c09feb37d7112861d81bd41dcd0f7b2 (patch)
tree: 643122f6c5cf64650afcfb289798d25a98989177
parent: flake: Update (diff)
download: nixos-server-843777c20c09feb37d7112861d81bd41dcd0f7b2.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/by-name/gi/git-server/module.nix b/modules/by-name/gi/git-server/module.nix
index db35897..4ddfca4 100644
--- a/modules/by-name/gi/git-server/module.nix
+++ b/modules/by-name/gi/git-server/module.nix
@@ -88,6 +88,12 @@ in {
         scanPath = "${config.services.gitolite.dataDir}/repositories";
         user = "git";
         group = "git";
+
+        # Don't bypass `cgit` when performing a http only clone.
+        # This is slightly slower, but we don't need to worry about the access
+        # restrictions also being by-passed.
+        gitHttpBackend.enable = false;
+
         settings = {
           branch-sort = "age";
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2026-02-15 14:20:56 +0100
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2026-02-15 14:20:56 +0100
commit	843777c20c09feb37d7112861d81bd41dcd0f7b2 (patch)
tree	643122f6c5cf64650afcfb289798d25a98989177
parent	flake: Update (diff)
download	nixos-server-843777c20c09feb37d7112861d81bd41dcd0f7b2.zip