From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: Simon Streit <simon@netpanic.org>
Cc: help-guix@gnu.org
Subject: Re: Set up cgit with git-http-backend properly
Date: Sat, 02 Jul 2022 11:35:37 +0200 [thread overview]
Message-ID: <87wncvdfh2.fsf@pelzflorian.de> (raw)
In-Reply-To: pelzflorian@pelzflorian.de's message of "(unknown date)"
Hi Simon,
what did you base your setup on?
Simon Streit <simon@netpanic.org> writes:
> (locations
> (list
> (git-http-nginx-location-configuration
> (git-http-configuration (uri-path "/")))
The guix repo has in file gnu/tests/version-control.scm the setting
(locations
(list (git-http-nginx-location-configuration
(git-http-configuration (export-all? #t)
(uri-path "/git")))))
with uri-path "/git". I think you want "/" though because you have its own
domain. Or maybe you want "".
When I still had a server, I had been using:
(nginx-configuration
;; Do not use gzip compression to avoid the BREACH attack on
;; TLSv1.2. It could frustrate HTTPS.
(server-blocks
(let ((server-names '("mailbaby.de" "www.mailbaby.de")))
(list (nginx-server-configuration
(server-name server-names)
(listen '("443 ssl http2" "[::]:443 ssl http2"))
(root "/var/www")
(ssl-certificate "\
/etc/letsencrypt/live/mailbaby.de/fullchain.pem")
(ssl-certificate-key "\
/etc/letsencrypt/live/mailbaby.de/privkey.pem")
(locations
(list
(nginx-location-configuration
(uri "/cgit/") ;for cgit css
(body
`(("root " ,#~#$(file-append cgit "/share") ";"))))
(nginx-location-configuration
(uri "/git/")
(body
`(("include "
,#~#$(file-append nginx
"/share/nginx/conf/fastcgi_params")
";")
("fastcgi_param SCRIPT_FILENAME "
,#~#$(file-append cgit "/lib/cgit/cgit.cgi") ";")
"fastcgi_param PATH_INFO $uri;"
"fastcgi_param QUERY_STRING $args;"
"fastcgi_param HTTP_HOST $server_name;"
"fastcgi_param HTTPS on;"
"fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;")))))
;; Rewriting of old URLs to new URLs is not yet necessary.
(raw-content
(list
;; TLS settings; remember to keep them up to date
;; with https://geekflare.com/ssl-test-certificate/
"ssl_prefer_server_ciphers on;"
"ssl_protocols TLSv1.2 TLSv1.3;"
"ssl_dhparam /etc/dhparam;"
"resolver ns01.domainssaubillig.de ipv6=off;"
"ssl_stapling on;"
"ssl_stapling_verify on;"
"ssl_trusted_certificate \
/etc/letsencrypt/live/mailbaby.de/chain.pem;"
"add_header Strict-Transport-Security \
\"max-age=31536000; includeSubDomains\" always;"
"ssl_buffer_size 4k;"
"ssl_session_tickets on;"
"ssl_session_timeout 4h;"
;; Ciphers according to:
;; https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
"ssl_ciphers \
TLS_CHACHA20_POLY1304_SHA256:\
TLS_AES_256_GCM_SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES256-SHA384:\
ECDHE-RSA-CHACHA20-POLY1305:\
DHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384;"
;; Adjust anti-DoS settings when HTTP errors occur.
;; See documentation for ngx_http_core_module.
"client_body_timeout 15s;"
"client_header_timeout 15s;"
"client_max_body_size 4096k;"
"keepalive_timeout 65;"))))))
(extra-content "ssl_session_cache shared:SSL:40m;"))
[…]
(define fcgiwrap-home-activation
#~(let ((out "/var/run/fcgiwrap")
(user (getpwnam "nginx"))
(group (getgrnam "nginx")))
(mkdir-p out)
(chown out (passwd:uid user) (group:gid group))
(chmod out #o775)))
(define fcgiwrap-home-service
(simple-service 'make-fcgiwrap-home activation-service-type
fcgiwrap-home-activation))
(define git-group-permissions-activation
#~(let ((dir "/var/lib/gitolite"))
(if (file-exists? dir)
(chmod dir #o755)
(format #t "WARNING: ~a does not exist yet; reconfigure again!"))))
(define git-services
(list
(service cgit-service-type
(cgit-configuration
(repository-directory "/var/lib/gitolite/repositories")
(repositories
(list
(repository-cgit-configuration
(url "git/gitolite-admin")
(desc "Git configuration.")
(path "/var/lib/gitolite/repositories/gitolite-admin.git"))
(repository-cgit-configuration
(url "git/machine-mailbaby-de")
(desc "Guix System config.")
(path "/var/lib/gitolite/repositories/machine-mailbaby-de.git"))
(repository-cgit-configuration
(url "git/mirror-of-gene-network")
(desc "Mirror of Efraim Flashner's Guix channel.")
(path "/var/lib/gitolite/repositories/mirror-of-gene-network.git"))))
(enable-git-config? #t)
(enable-index-owner? #f)
(css "/cgit/cgit.css")
(logo "/cgit/cgit.png")))
(simple-service 'git-group-permissions activation-service-type
git-group-permissions-activation)))
Particularly note the (locations). I think I had copied it and adapted
it from many places. Can’t remember.
Regards,
Florian
next prev parent reply other threads:[~2022-07-02 9:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-30 10:40 Set up cgit with git-http-backend properly Simon Streit
2022-07-02 9:35 ` pelzflorian (Florian Pelz) [this message]
2022-07-04 10:29 ` Simon Streit
2022-07-04 10:38 ` Simon Streit
2022-07-06 16:27 ` pelzflorian (Florian Pelz)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wncvdfh2.fsf@pelzflorian.de \
--to=pelzflorian@pelzflorian.de \
--cc=help-guix@gnu.org \
--cc=simon@netpanic.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).