[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Set up cgit with git-http-backend properly
From: |
pelzflorian (Florian Pelz) |
Subject: |
Re: Set up cgit with git-http-backend properly |
Date: |
Sat, 02 Jul 2022 11:35:37 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) |
Hi Simon,
what did you base your setup on?
Simon Streit <simon@netpanic.org> writes:
> (locations
> (list
> (git-http-nginx-location-configuration
> (git-http-configuration (uri-path "/")))
The guix repo has in file gnu/tests/version-control.scm the setting
(locations
(list (git-http-nginx-location-configuration
(git-http-configuration (export-all? #t)
(uri-path "/git")))))
with uri-path "/git". I think you want "/" though because you have its own
domain. Or maybe you want "".
When I still had a server, I had been using:
(nginx-configuration
;; Do not use gzip compression to avoid the BREACH attack on
;; TLSv1.2. It could frustrate HTTPS.
(server-blocks
(let ((server-names '("mailbaby.de" "www.mailbaby.de")))
(list (nginx-server-configuration
(server-name server-names)
(listen '("443 ssl http2" "[::]:443 ssl http2"))
(root "/var/www")
(ssl-certificate "\
/etc/letsencrypt/live/mailbaby.de/fullchain.pem")
(ssl-certificate-key "\
/etc/letsencrypt/live/mailbaby.de/privkey.pem")
(locations
(list
(nginx-location-configuration
(uri "/cgit/") ;for cgit css
(body
`(("root " ,#~#$(file-append cgit "/share") ";"))))
(nginx-location-configuration
(uri "/git/")
(body
`(("include "
,#~#$(file-append nginx
"/share/nginx/conf/fastcgi_params")
";")
("fastcgi_param SCRIPT_FILENAME "
,#~#$(file-append cgit "/lib/cgit/cgit.cgi") ";")
"fastcgi_param PATH_INFO $uri;"
"fastcgi_param QUERY_STRING $args;"
"fastcgi_param HTTP_HOST $server_name;"
"fastcgi_param HTTPS on;"
"fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;")))))
;; Rewriting of old URLs to new URLs is not yet necessary.
(raw-content
(list
;; TLS settings; remember to keep them up to date
;; with https://geekflare.com/ssl-test-certificate/
"ssl_prefer_server_ciphers on;"
"ssl_protocols TLSv1.2 TLSv1.3;"
"ssl_dhparam /etc/dhparam;"
"resolver ns01.domainssaubillig.de ipv6=off;"
"ssl_stapling on;"
"ssl_stapling_verify on;"
"ssl_trusted_certificate \
/etc/letsencrypt/live/mailbaby.de/chain.pem;"
"add_header Strict-Transport-Security \
\"max-age=31536000; includeSubDomains\" always;"
"ssl_buffer_size 4k;"
"ssl_session_tickets on;"
"ssl_session_timeout 4h;"
;; Ciphers according to:
;;
https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
"ssl_ciphers \
TLS_CHACHA20_POLY1304_SHA256:\
TLS_AES_256_GCM_SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES256-SHA384:\
ECDHE-RSA-CHACHA20-POLY1305:\
DHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384;"
;; Adjust anti-DoS settings when HTTP errors occur.
;; See documentation for ngx_http_core_module.
"client_body_timeout 15s;"
"client_header_timeout 15s;"
"client_max_body_size 4096k;"
"keepalive_timeout 65;"))))))
(extra-content "ssl_session_cache shared:SSL:40m;"))
[…]
(define fcgiwrap-home-activation
#~(let ((out "/var/run/fcgiwrap")
(user (getpwnam "nginx"))
(group (getgrnam "nginx")))
(mkdir-p out)
(chown out (passwd:uid user) (group:gid group))
(chmod out #o775)))
(define fcgiwrap-home-service
(simple-service 'make-fcgiwrap-home activation-service-type
fcgiwrap-home-activation))
(define git-group-permissions-activation
#~(let ((dir "/var/lib/gitolite"))
(if (file-exists? dir)
(chmod dir #o755)
(format #t "WARNING: ~a does not exist yet; reconfigure again!"))))
(define git-services
(list
(service cgit-service-type
(cgit-configuration
(repository-directory "/var/lib/gitolite/repositories")
(repositories
(list
(repository-cgit-configuration
(url "git/gitolite-admin")
(desc "Git configuration.")
(path "/var/lib/gitolite/repositories/gitolite-admin.git"))
(repository-cgit-configuration
(url "git/machine-mailbaby-de")
(desc "Guix System config.")
(path "/var/lib/gitolite/repositories/machine-mailbaby-de.git"))
(repository-cgit-configuration
(url "git/mirror-of-gene-network")
(desc "Mirror of Efraim Flashner's Guix channel.")
(path "/var/lib/gitolite/repositories/mirror-of-gene-network.git"))))
(enable-git-config? #t)
(enable-index-owner? #f)
(css "/cgit/cgit.css")
(logo "/cgit/cgit.png")))
(simple-service 'git-group-permissions activation-service-type
git-group-permissions-activation)))
Particularly note the (locations). I think I had copied it and adapted
it from many places. Can’t remember.
Regards,
Florian
- Re: Set up cgit with git-http-backend properly,
pelzflorian (Florian Pelz) <=