From 843777c20c09feb37d7112861d81bd41dcd0f7b2 Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Sun, 15 Feb 2026 14:20:56 +0100
Subject: modules/cgit: Stop exposing all repositories as http clones

This feature has recently been added to nixpkgs to fix the security
vulnerability.
---
 modules/by-name/gi/git-server/module.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/by-name/gi/git-server/module.nix b/modules/by-name/gi/git-server/module.nix
index db35897..4ddfca4 100644
--- a/modules/by-name/gi/git-server/module.nix
+++ b/modules/by-name/gi/git-server/module.nix
@@ -88,6 +88,12 @@ in {
         scanPath = "${config.services.gitolite.dataDir}/repositories";
         user = "git";
         group = "git";
+
+        # Don't bypass `cgit` when performing a http only clone.
+        # This is slightly slower, but we don't need to worry about the access
+        # restrictions also being by-passed.
+        gitHttpBackend.enable = false;
+
         settings = {
           branch-sort = "age";
 
-- 
cgit 1.4.1