Gitolite: Make directory readable for the group #63668
Conversation
ofborg
bot
added
6.topic: nixos
|
Can you please paste the configuration of your use case? |
|
Sure, here is my basic example configuration. # git.nix
{
resources.sshKeyPairs.ssh-key = {};
network.description = "Git server";
webserver = {
deployment.targetEnv = "digitalOcean";
deployment.digitalOcean = {
enableIpv6 = true;
region = "fra1";
size = "s-1vcpu-1gb";
};
imports = [ ./gitolite.nix ./gitweb.nix ];
};
}# gitolite.nix
{ config, ... }:
let
cfg = config.services.gitolite;
in {
services.gitolite = {
enable = true;
user = "git";
group = "git";
dataDir = "/home/git";
adminPubkey = builtins.readFile ./id_rsa.pub;
extraGitoliteRc = ''
$RC{UMASK} = 0027;
'';
};
systemd.services."gitolite-init".script = ''
chmod g+rx ${cfg.dataDir}
'';
networking.firewall.allowedTCPPorts = [ 22 ];
}# gitweb.nix
{
services.gitweb.projectroot = "/home/git/repositories";
services.lighttpd.enable = true;
services.lighttpd.gitweb.enable = true;
users.users.lighttpd.extraGroups = [ "git" ];
networking.firewall.allowedTCPPorts = [ 80 ];
} |
|
@bake Thanks for the example. Without actually having tested this at all I wonder if this is a better approach to achieve the same goal: https://github.com/NixOS/nixpkgs/compare/master...aanderse:gitolite?expand=1 |
|
Thank you, I've just tested your modification and it works as expected. It also looks cleaner than just expanding the shellscript. Out of curiosity: Do we need the |
|
@bake Glad to hear it works. The
If you want to merge my changes into this PR please go ahead, otherwise I can open a PR from my branch and cc you in. |
bake
force-pushed
the
gitolite-directory-permissions
branch
from
3cc8d46 to
72238ac
Compare
|
Thank you, I've merged your changes. |
|
@bake Can you please squash all commits into a single? |
bake
force-pushed
the
gitolite-directory-permissions
branch
from
72238ac to
4aea5c3
Compare
|
Sure |
|
This pull request has been mentioned on Nix community. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review-may-2019/3032/29 |
|
@GrahamcOfBorg test gitolite |
|
Thank you! |
Janik-Haag
added
the
12. first-time contribution
Motivation for this change
Using a frontend like GitWeb or cgit together with Gitolite requires the HTTPD serving the UI and Gitolite sharing a group and setting UMASK to something like
0027. This however does not modify permissions on Gitolites directory in which it stores repositories.Is this usecase common enough to change the permissions by default?
Things done
Setting the directory permissions to allow users in the same group as Gitolite to read its directory. This should be enough if it is in an already readable directory like
/var/libor/home.sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)