nixos/cgit: configurable user instead of root
This allows running cgit instances using dedicated users instead of root. This is now set to "cgit" by default.
This commit is contained in:
parent
51b246a1ac
commit
2d8626bf0a
@ -54,6 +54,10 @@
|
|||||||
Processes also now run as a dynamically allocated user by default instead of
|
Processes also now run as a dynamically allocated user by default instead of
|
||||||
root.
|
root.
|
||||||
|
|
||||||
|
- `services.cgit` now runs as the cgit user by default instead of root.
|
||||||
|
This change requires granting access to the repositories to this user or
|
||||||
|
setting the appropriate one through `services.cgit.some-instance.user`.
|
||||||
|
|
||||||
- `nvimpager` was updated to version 0.13.0, which changes the order of user and
|
- `nvimpager` was updated to version 0.13.0, which changes the order of user and
|
||||||
nvimpager settings: user commands in `-c` and `--cmd` now override the
|
nvimpager settings: user commands in `-c` and `--cmd` now override the
|
||||||
respective default settings because they are executed later.
|
respective default settings because they are executed later.
|
||||||
|
@ -154,6 +154,18 @@ in
|
|||||||
type = types.lines;
|
type = types.lines;
|
||||||
default = "";
|
default = "";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
description = "User to run the cgit service as.";
|
||||||
|
type = types.str;
|
||||||
|
default = "cgit";
|
||||||
|
};
|
||||||
|
|
||||||
|
group = mkOption {
|
||||||
|
description = "Group to run the cgit service as.";
|
||||||
|
type = types.str;
|
||||||
|
default = "cgit";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
};
|
};
|
||||||
@ -165,8 +177,17 @@ in
|
|||||||
message = "Exactly one of services.cgit.${vhost}.scanPath or services.cgit.${vhost}.repos must be set.";
|
message = "Exactly one of services.cgit.${vhost}.scanPath or services.cgit.${vhost}.repos must be set.";
|
||||||
}) cfgs;
|
}) cfgs;
|
||||||
|
|
||||||
|
users = mkMerge (flip mapAttrsToList cfgs (_: cfg: {
|
||||||
|
users.${cfg.user} = {
|
||||||
|
isSystemUser = true;
|
||||||
|
inherit (cfg) group;
|
||||||
|
};
|
||||||
|
groups.${cfg.group} = { };
|
||||||
|
}));
|
||||||
|
|
||||||
services.fcgiwrap = flip mapAttrs' cfgs (name: cfg:
|
services.fcgiwrap = flip mapAttrs' cfgs (name: cfg:
|
||||||
nameValuePair "cgit-${name}" {
|
nameValuePair "cgit-${name}" {
|
||||||
|
process = { inherit (cfg) user group; };
|
||||||
socket = { inherit (config.services.nginx) user group; };
|
socket = { inherit (config.services.nginx) user group; };
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
@ -23,7 +23,7 @@ in {
|
|||||||
nginx.location = "/(c)git/";
|
nginx.location = "/(c)git/";
|
||||||
repos = {
|
repos = {
|
||||||
some-repo = {
|
some-repo = {
|
||||||
path = "/srv/git/some-repo";
|
path = "/tmp/git/some-repo";
|
||||||
desc = "some-repo description";
|
desc = "some-repo description";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -50,12 +50,12 @@ in {
|
|||||||
|
|
||||||
server.fail("curl -fsS http://localhost/robots.txt")
|
server.fail("curl -fsS http://localhost/robots.txt")
|
||||||
|
|
||||||
server.succeed("${pkgs.writeShellScript "setup-cgit-test-repo" ''
|
server.succeed("sudo -u cgit ${pkgs.writeShellScript "setup-cgit-test-repo" ''
|
||||||
set -e
|
set -e
|
||||||
git init --bare -b master /srv/git/some-repo
|
git init --bare -b master /tmp/git/some-repo
|
||||||
git init -b master reference
|
git init -b master reference
|
||||||
cd reference
|
cd reference
|
||||||
git remote add origin /srv/git/some-repo
|
git remote add origin /tmp/git/some-repo
|
||||||
date > date.txt
|
date > date.txt
|
||||||
git add date.txt
|
git add date.txt
|
||||||
git -c user.name=test -c user.email=test@localhost commit -m 'add date'
|
git -c user.name=test -c user.email=test@localhost commit -m 'add date'
|
||||||
|
Loading…
Reference in New Issue
Block a user