Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitolite: Make directory readable for the group #63668

Merged
merged 1 commit into from Aug 4, 2019
Merged

Gitolite: Make directory readable for the group #63668

merged 1 commit into from Aug 4, 2019

Conversation

bake
Copy link
Contributor

@bake bake commented Jun 22, 2019

Motivation for this change

Using a frontend like GitWeb or cgit together with Gitolite requires the HTTPD serving the UI and Gitolite sharing a group and setting UMASK to something like 0027. This however does not modify permissions on Gitolites directory in which it stores repositories.

Is this usecase common enough to change the permissions by default?

Things done

Setting the directory permissions to allow users in the same group as Gitolite to read its directory. This should be enough if it is in an already readable directory like /var/lib or /home.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@aanderse
Copy link
Member

Can you please paste the configuration of your use case?

@bake
Copy link
Contributor Author

bake commented Jul 22, 2019
edited

Sure, here is my basic example configuration.

# git.nix
{
  resources.sshKeyPairs.ssh-key = {};
  network.description = "Git server";
  webserver = {
    deployment.targetEnv = "digitalOcean";
    deployment.digitalOcean = {
      enableIpv6 = true;
      region = "fra1";
      size = "s-1vcpu-1gb";
    };
    imports = [ ./gitolite.nix ./gitweb.nix ];
  };
}
# gitolite.nix
{ config, ... }:

let
  cfg = config.services.gitolite;
in {
  services.gitolite = {
    enable = true;
    user = "git";
    group = "git";
    dataDir = "/home/git";
    adminPubkey = builtins.readFile ./id_rsa.pub;
    extraGitoliteRc = ''
      $RC{UMASK} = 0027;
    '';
  };
  systemd.services."gitolite-init".script = ''
    chmod g+rx ${cfg.dataDir}
  '';
  networking.firewall.allowedTCPPorts = [ 22 ];
}
# gitweb.nix
{
  services.gitweb.projectroot = "/home/git/repositories";
  services.lighttpd.enable = true;
  services.lighttpd.gitweb.enable = true;
  users.users.lighttpd.extraGroups = [ "git" ];
  networking.firewall.allowedTCPPorts = [ 80 ];
}

@aanderse
Copy link
Member

@bake Thanks for the example.

Without actually having tested this at all I wonder if this is a better approach to achieve the same goal: https://github.com/NixOS/nixpkgs/compare/master...aanderse:gitolite?expand=1

@bake
Copy link
Contributor Author

bake commented Jul 27, 2019

Thank you, I've just tested your modification and it works as expected. It also looks cleaner than just expanding the shellscript.

Out of curiosity: Do we need the Zin systemd.tmpfiles.rules? I'm not familiar with tmpfiles, but it looks like it doesn't change anything, since the directories already got those permissions.

@aanderse
Copy link
Member

@bake Glad to hear it works. The Z is not always required, but sometimes nice to have just in case:

Recursively set the access mode, user and group ownership, and restore the SELinux security context of a file or directory if it exists, as well as of its subdirectories and the files contained therein (if applicable).

If you want to merge my changes into this PR please go ahead, otherwise I can open a PR from my branch and cc you in.

@bake bake force-pushed the gitolite-directory-permissions branch from 3cc8d46 to 72238ac Compare July 27, 2019 20:56
@bake
Copy link
Contributor Author

bake commented Jul 27, 2019

Thank you, I've merged your changes.

@aanderse
Copy link
Member

@bake Can you please squash all commits into a single?

@bake bake force-pushed the gitolite-directory-permissions branch from 72238ac to 4aea5c3 Compare July 28, 2019 09:49
@bake
Copy link
Contributor Author

bake commented Jul 29, 2019

Sure

@nixos-discourse
Copy link

This pull request has been mentioned on Nix community. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review-may-2019/3032/29

@aanderse
Copy link
Member

@GrahamcOfBorg test gitolite

@teto teto merged commit 9e2a710 into NixOS:master Aug 4, 2019
@aanderse
Copy link
Member

aanderse commented Aug 4, 2019

Thanks @teto and @bake!

@bake
Copy link
Contributor Author

bake commented Aug 4, 2019

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@teto teto teto left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0 12. first-time contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@bake @aanderse @nixos-discourse @teto @Janik-Haag