diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-08-02 22:34:29 +0200 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-08-02 23:13:30 +0200 |
commit | d8fd64d771bb73e5ec1b68acf06df5159a53ed7c (patch) | |
tree | 4c6a7dad0bc77b298a570b40bb5618866970a660 | |
parent | refactor(nixos/{nginx, nix-sync}): Migrate from `system/services` (diff) | |
download | nixos-server-d8fd64d771bb73e5ec1b68acf06df5159a53ed7c.zip |
fix(nixos/git-server): Add the required configuration to support http-clone
-rw-r--r-- | modules/nixos/vhack/git-server/default.nix | 46 |
1 files changed, 43 insertions, 3 deletions
diff --git a/modules/nixos/vhack/git-server/default.nix b/modules/nixos/vhack/git-server/default.nix index 0129699..a700ef4 100644 --- a/modules/nixos/vhack/git-server/default.nix +++ b/modules/nixos/vhack/git-server/default.nix @@ -5,11 +5,35 @@ ... }: let cfg = config.vhack.git-server; + /* + Until <https://github.com/NixOS/nixpkgs/pull/317293> is merged into + nixpkgs, we have to do the list to string conversion ourselves: + */ + toCgitRc = list: lib.strings.concatStringsSep " " list; in { options.vhack.git-server = { enable = lib.mkEnableOption '' a lightweight git-server, realised with cgit and gitolite. ''; + + domain = lib.mkOption { + type = lib.types.str; + default = "git.vhack.eu"; + description = '' + The domain this git instance will run under. + ''; + }; + + gitolite = { + adminPubkey = lib.mkOption { + description = '' + The initial key to use for gitolite. This will only be used for the initial + clone of the `gitolite-admin` repository. + ''; + type = lib.types.str; + default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A"; + }; + }; }; config = lib.mkIf cfg.enable { @@ -21,10 +45,22 @@ in { }; }; }; + + # Needed for the nginx proxy and the virtual host + vhack.nginx.enable = true; + services = { + fcgiwrap = { + # NOTE: This is needed as `cgit` otherwise fails to run `git` commands in the git + # repositories (for example, when cloning a repository over http). <2024-08-02> + # FIXME: Is there a way to not run _all_ wrapped cgi things as `git`? <2024-08-02> + user = "git"; + group = "nginx"; + }; + gitolite = { + inherit (cfg.gitolite) adminPubkey; enable = true; - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A"; dataDir = "/srv/gitolite"; user = "git"; group = "git"; @@ -33,11 +69,15 @@ in { ''; }; - cgit."git.vhack.eu" = { + cgit."${cfg.domain}" = { enable = true; package = pkgs.cgit-pink; scanPath = "${config.services.gitolite.dataDir}/repositories"; settings = { + # Allow users to download a repo checkout with these compression formats + snapshots = toCgitRc ["tar.gz" "zip"]; + # The template used to generate the clone url for https clone. + clone-url = toCgitRc ["https://${cfg.domain}/$CGIT_REPO_URL" "ssh://git@${cfg.domain}/$CGIT_REPO_URL"]; enable-http-clone = true; section-from-path = true; project-list = "${config.services.gitolite.dataDir}/projects.list"; @@ -45,7 +85,7 @@ in { }; }; - nginx.virtualHosts."git.vhack.eu" = { + nginx.virtualHosts."${cfg.domain}" = { enableACME = true; forceSSL = true; }; |