about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-08-02 22:34:29 +0200
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-08-02 23:13:30 +0200
commitd8fd64d771bb73e5ec1b68acf06df5159a53ed7c (patch)
tree4c6a7dad0bc77b298a570b40bb5618866970a660
parentrefactor(nixos/{nginx, nix-sync}): Migrate from `system/services` (diff)
downloadnixos-server-d8fd64d771bb73e5ec1b68acf06df5159a53ed7c.zip
fix(nixos/git-server): Add the required configuration to support http-clone
-rw-r--r--modules/nixos/vhack/git-server/default.nix46
1 files changed, 43 insertions, 3 deletions
diff --git a/modules/nixos/vhack/git-server/default.nix b/modules/nixos/vhack/git-server/default.nix
index 0129699..a700ef4 100644
--- a/modules/nixos/vhack/git-server/default.nix
+++ b/modules/nixos/vhack/git-server/default.nix
@@ -5,11 +5,35 @@
   ...
 }: let
   cfg = config.vhack.git-server;
+  /*
+  Until <https://github.com/NixOS/nixpkgs/pull/317293> is merged into
+  nixpkgs, we have to do the list to string conversion ourselves:
+  */
+  toCgitRc = list: lib.strings.concatStringsSep " " list;
 in {
   options.vhack.git-server = {
     enable = lib.mkEnableOption ''
       a lightweight git-server, realised with cgit and gitolite.
     '';
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = "git.vhack.eu";
+      description = ''
+        The domain this git instance will run under.
+      '';
+    };
+
+    gitolite = {
+      adminPubkey = lib.mkOption {
+        description = ''
+          The initial key to use for gitolite. This will only be used for the initial
+          clone of the `gitolite-admin` repository.
+        '';
+        type = lib.types.str;
+        default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A";
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -21,10 +45,22 @@ in {
         };
       };
     };
+
+    # Needed for the nginx proxy and the virtual host
+    vhack.nginx.enable = true;
+
     services = {
+      fcgiwrap = {
+        # NOTE: This is needed as `cgit` otherwise fails to run `git` commands in the git
+        # repositories (for example, when cloning a repository over http). <2024-08-02>
+        # FIXME: Is there a way to not run _all_ wrapped cgi things as `git`? <2024-08-02>
+        user = "git";
+        group = "nginx";
+      };
+
       gitolite = {
+        inherit (cfg.gitolite) adminPubkey;
         enable = true;
-        adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A";
         dataDir = "/srv/gitolite";
         user = "git";
         group = "git";
@@ -33,11 +69,15 @@ in {
         '';
       };
 
-      cgit."git.vhack.eu" = {
+      cgit."${cfg.domain}" = {
         enable = true;
         package = pkgs.cgit-pink;
         scanPath = "${config.services.gitolite.dataDir}/repositories";
         settings = {
+          # Allow users to download a repo checkout with these compression formats
+          snapshots = toCgitRc ["tar.gz" "zip"];
+          # The template used to generate the clone url for https clone.
+          clone-url = toCgitRc ["https://${cfg.domain}/$CGIT_REPO_URL" "ssh://git@${cfg.domain}/$CGIT_REPO_URL"];
           enable-http-clone = true;
           section-from-path = true;
           project-list = "${config.services.gitolite.dataDir}/projects.list";
@@ -45,7 +85,7 @@ in {
         };
       };
 
-      nginx.virtualHosts."git.vhack.eu" = {
+      nginx.virtualHosts."${cfg.domain}" = {
         enableACME = true;
         forceSSL = true;
       };