Run CGit as unpriveledged user

1 files changed, 8 insertions, 1 deletions

diff --git a/hosts/ahmed/git.linus.onl/default.nix b/hosts/ahmed/git.linus.onl/default.nix
index fcee268..be62efa 100644
--- a/hosts/ahmed/git.linus.onl/default.nix
+++ b/hosts/ahmed/git.linus.onl/default.nix
@@ -14,7 +14,7 @@
   location = "/srv/git";
 in {
   config = {
-    # Create a user which
+    # Create a user which will own (i.e. have rw access to) the git repositories.
     # See: https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server
     users.users.git = {
       description = "Git server user";
@@ -56,6 +56,13 @@ in {
     services.cgit."git.linus.onl" = {
       enable = true;
 
+      # This CGit instance and the fcgiwrap instance coupled to this CGit
+      # instance will use this unpriveledged user to access the world readable
+      # git repositories. This is fine as they only need read access.
+      # See: https://discourse.nixos.org/t/51419
+      user = "cgit";
+      group = "cgit";
+
       scanPath = location;
       settings = let
         package = config.services.cgit."git.linus.onl".package;