about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2026-02-15 14:20:56 +0100
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2026-02-15 14:20:56 +0100
commit843777c20c09feb37d7112861d81bd41dcd0f7b2 (patch)
tree643122f6c5cf64650afcfb289798d25a98989177
parentflake: Update (diff)
downloadnixos-server-843777c20c09feb37d7112861d81bd41dcd0f7b2.zip
modules/cgit: Stop exposing all repositories as http clones HEAD main
This feature has recently been added to nixpkgs to fix the security
vulnerability.
Diffstat (limited to '')
-rw-r--r--modules/by-name/gi/git-server/module.nix6
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/by-name/gi/git-server/module.nix b/modules/by-name/gi/git-server/module.nix
index db35897..4ddfca4 100644
--- a/modules/by-name/gi/git-server/module.nix
+++ b/modules/by-name/gi/git-server/module.nix
@@ -88,6 +88,12 @@ in {
         scanPath = "${config.services.gitolite.dataDir}/repositories";
         user = "git";
         group = "git";
+
+        # Don't bypass `cgit` when performing a http only clone.
+        # This is slightly slower, but we don't need to worry about the access
+        # restrictions also being by-passed.
+        gitHttpBackend.enable = false;
+
         settings = {
           branch-sort = "age";