Run CGit as unpriveledged user

author: Linnnus <[email protected]> 2024-09-28 12:34:57 +0200
committer: Linnnus <[email protected]> 2024-09-28 12:34:57 +0200
commit: 36696602adec6f57240f11c4c8e8752d62be38f2 (patch)
tree: 1d983f7a9346f40ee1fdf240be5766dab3ce19eb /hosts/ahmed/git.linus.onl/default.nix
parent: 8a99090226b46caf445e0d4b957f74775b07401b (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/hosts/ahmed/git.linus.onl/default.nix b/hosts/ahmed/git.linus.onl/default.nix
index fcee268..be62efa 100644
--- a/hosts/ahmed/git.linus.onl/default.nix
+++ b/hosts/ahmed/git.linus.onl/default.nix
@@ -14,7 +14,7 @@
   location = "/srv/git";
 in {
   config = {
-    # Create a user which
+    # Create a user which will own (i.e. have rw access to) the git repositories.
     # See: https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server
     users.users.git = {
       description = "Git server user";
@@ -56,6 +56,13 @@ in {
     services.cgit."git.linus.onl" = {
       enable = true;
 
+      # This CGit instance and the fcgiwrap instance coupled to this CGit
+      # instance will use this unpriveledged user to access the world readable
+      # git repositories. This is fine as they only need read access.
+      # See: https://discourse.nixos.org/t/51419
+      user = "cgit";
+      group = "cgit";
+
       scanPath = location;
       settings = let
         package = config.services.cgit."git.linus.onl".package;
author	Linnnus <[email protected]>	2024-09-28 12:34:57 +0200
committer	Linnnus <[email protected]>	2024-09-28 12:34:57 +0200
commit	36696602adec6f57240f11c4c8e8752d62be38f2 (patch)
tree	1d983f7a9346f40ee1fdf240be5766dab3ce19eb /hosts/ahmed/git.linus.onl/default.nix
parent	8a99090226b46caf445e0d4b957f74775b07401b (diff)