diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-09-06 07:38:10 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-09-06 07:43:31 +0200 |
| commit | 60cf4ea476c0046079365555aadf93f70c030e46 (patch) | |
| tree | 4fb5659de5980a9e14d0197916043ddc53863d73 | |
| parent | fix(services/matrix/mautrix-whatsapp): Disable to remove libolm (diff) | |
| download | nixos-server-60cf4ea476c0046079365555aadf93f70c030e46.tar.gz nixos-server-60cf4ea476c0046079365555aadf93f70c030e46.zip | |
fix(git-server/cgit): Don't run `cgit` as `root` use `git` instead
This option was newly added, as previously only on `fcgiwrap` instance was run as root. We probably have not been affected by this, as our `fcgiwrap` instance was already running as `git:nginx`. Usage of the new options seems better either way, as they provide a finer grained control over the user _each_ `fcgiwrap`ped service is running at. The security advisory: https://discourse.nixos.org/t/51419
| -rw-r--r-- | modules/nixos/vhack/git-server/default.nix | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/modules/nixos/vhack/git-server/default.nix b/modules/nixos/vhack/git-server/default.nix index 610c6e7..5c25bd7 100644 --- a/modules/nixos/vhack/git-server/default.nix +++ b/modules/nixos/vhack/git-server/default.nix @@ -57,14 +57,6 @@ in { vhack.nginx.enable = true; services = { - fcgiwrap = { - # NOTE: This is needed as `cgit` otherwise fails to run `git` commands in the git - # repositories (for example, when cloning a repository over http). <2024-08-02> - # FIXME: Is there a way to not run _all_ wrapped cgi things as `git`? <2024-08-02> - user = "git"; - group = "nginx"; - }; - gitolite = { inherit (cfg.gitolite) adminPubkey; enable = true; @@ -90,6 +82,8 @@ in { enable = true; package = pkgs.cgit-pink; scanPath = "${config.services.gitolite.dataDir}/repositories"; + user = "git"; + group = "git"; settings = { branch-sort = "age"; |