From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:303:e16b::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms8.migadu.com with LMTPS
	id ANt9LmuI+WVWLAEA62LTzQ:P1
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 19 Mar 2024 13:43:23 +0100
Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id ANt9LmuI+WVWLAEA62LTzQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 19 Mar 2024 13:43:23 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=worcester-edu.20230601.gappssmtp.com header.s=20230601 header.b=OltV8INk;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1710852203;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=wRCiJiVyUshWkfmKWrN2wUO3Cr2YXimURbXLsL1NyeQ=;
	b=lqYAYEA+5D9AFBKPBSKiDUwvolqwsSS2Aek8UNb/Mi1je2TOS81ElhFfyFT9ObZJ699SLT
	lu3WYWlev4TZBRSDgMTMXB8KXSqwWsfB/9n6BuEavwOz2ZeKbDCnVwrwdH9zdkbGM9KfuQ
	Uh8Eb0Ae+gcvmAFQ/ufpunQXC14ZjjmXtDLbTOBAdzO2rBQtuGfi3IxcsTA6EcPrBkyunY
	Mf867+VdmwjTYKd5vWS84RR4+DA8K+CNszKUy+agLGdYonN09qyxMlAHy88iBEPdtaO+Rk
	CjyvP4SEGdbuR3oJI+THC/dT/7p2JC61PMOUKu/jNAuZ6bA06GFaC5pTyw2cxg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=worcester-edu.20230601.gappssmtp.com header.s=20230601 header.b=OltV8INk;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1710852203; a=rsa-sha256; cv=none;
	b=Yqn6CN44CvMjyqs6iGVf6YMOYdE8Z+KQY5FsfIINBQS03Kq4WV5qccltjPUn5HBytXsRls
	K7uJs2ngAto3CVRqrkKkI4TWrJZSQt0Lc+4YKLNjio1o8ukYvMwjfDPkEbERupN7sz0cKm
	GwvXsga3b5Kghw9sDz/0dsZ6xah6iwBZVRGFuiL7LCxvhdsdIt91x1kCHMqYIAyV4gf0sP
	HDzD2WKG4bDEpyT19moSK6P1DOJPFLKZjOo+d3rEP7nkW+vsp3SSHQo3pWLfvOxOA5qbmg
	JA16RBhDX+9IcfQWMG+swKjyMukz7SMK0ClCsb4wZiRXEGdAkd4ZsCAtQaJr8Q==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 66BA1539D2
	for <larch@yhetil.org>; Tue, 19 Mar 2024 13:43:23 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces@gnu.org>)
	id 1rmYo0-0005OF-Kh; Tue, 19 Mar 2024 08:43:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <dthompson2@worcester.edu>)
 id 1rmYny-0005O6-Tb
 for help-guix@gnu.org; Tue, 19 Mar 2024 08:42:59 -0400
Received: from mail-qt1-x833.google.com ([2607:f8b0:4864:20::833])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <dthompson2@worcester.edu>)
 id 1rmYnw-0000XS-7S
 for help-guix@gnu.org; Tue, 19 Mar 2024 08:42:58 -0400
Received: by mail-qt1-x833.google.com with SMTP id
 d75a77b69052e-430c4d0408eso15188931cf.3
 for <help-guix@gnu.org>; Tue, 19 Mar 2024 05:42:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=worcester-edu.20230601.gappssmtp.com; s=20230601; t=1710852175; x=1711456975;
 darn=gnu.org; 
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=wRCiJiVyUshWkfmKWrN2wUO3Cr2YXimURbXLsL1NyeQ=;
 b=OltV8INk2ECgbQwiOsr9OCg++j/s8WK137wi61JDo2S9/WezifcwswxxQo1/WSBG2T
 XqHkAeygGjSsj6u5buFTthesfVTJjwustCqcCZeibaQmSFhXNQWgmYV6oZnvvCR2iJXF
 LdqhdvO/oElaBLwt/W99/bFIzJE18Hy+k1gdQk8fdPhR4E/RCiLpHMK9C5OXMdMwYMrh
 N7/Hu97heg/67peC2MP1ctxxwyBuPd5h1iWKdcJpDm1q3oNuddX1RN+KUogy0e37jZf7
 7Fc/pJQz+PFcbD8FtHEBWwRYoJB3fREgetWXH23DLAwnrfqy+hyQydRSYxQi7EFeYLx5
 6sww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1710852175; x=1711456975;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=wRCiJiVyUshWkfmKWrN2wUO3Cr2YXimURbXLsL1NyeQ=;
 b=YH+desTrgrZvwysd2iUvFEpP7C8Vrccm3E6uD+MBnzn66FoDpxQDZYkKybYg1OLOj2
 VUO1EkgYOM1PdqDeBgTw3q43771RgVAJviALttVxZlmI84cX3SnfPAD7IyY46qxg24bS
 JXXQiVPf3R1DktOpy0YRcdaYe5QlB5JBBMaOvhDoc0B9EX3wjORw/rdUXh1SCDvx3fYI
 BGTADKD/CZT5LJ8bcvIEJ1wKaRtbWvQ8NH4p7ktHxhg7sNKauKwkRVR7SZTwRjZkhlf6
 XyuIzvjt75aRdjnP27ke86GWLz6FRUj7Rs4sQfrekBGEhkfGrVfwZGN4wXKhov4QYPCV
 iCNA==
X-Gm-Message-State: AOJu0YxP1I3fCjUG+NfPNeOEBlIWk+nTSDXCYBpQwDK4MJPJj/hr94OV
 4aTPSHs81SATPVS6jTZBgXsgyPK1Y32Nok0tLMtf2H4rvj12trFroYPHUHQBnD34OX9yVGoOekQ
 hq4DXpblvfAJUiWr8D3/nIyPuwW89ZnNzIv+88oxFUJr2uxAkqIo=
X-Google-Smtp-Source: AGHT+IHvlAzIoCsXbjQ/y57TWohghZWyPyJKP0tcVL0yZIqKxz2woJ6UBx8/xHYsHqEB8JUGpjCERhqTheEpdXPdvE0=
X-Received: by 2002:a05:622a:1648:b0:430:d4fc:d5a5 with SMTP id
 y8-20020a05622a164800b00430d4fcd5a5mr2578693qtj.35.1710852174646; Tue, 19 Mar
 2024 05:42:54 -0700 (PDT)
MIME-Version: 1.0
References: <ff59ed54-570a-4a37-9ea2-0a0bb1cd975d@app.fastmail.com>
In-Reply-To: <ff59ed54-570a-4a37-9ea2-0a0bb1cd975d@app.fastmail.com>
From: "Thompson, David" <dthompson2@worcester.edu>
Date: Tue, 19 Mar 2024 08:42:43 -0400
Message-ID: <CAJ=RwfYUedO6zaLaw+RK4WuLwD93b2kaORQs9dB8qvhbDhWxXQ@mail.gmail.com>
Subject: Re: How do I put assign supplementary groups to nginx user?
To: Jayesh Bhoot <jysh@jysh.net>
Cc: help-guix <help-guix@gnu.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2607:f8b0:4864:20::833;
 envelope-from=dthompson2@worcester.edu; helo=mail-qt1-x833.google.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: help-guix-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -7.92
X-Spam-Score: -7.92
X-Migadu-Queue-Id: 66BA1539D2
X-Migadu-Scanner: mx13.migadu.com
X-TUID: VHXmFR4YAWXH

Hi Jayesh,

On Tue, Mar 19, 2024 at 2:44=E2=80=AFAM Jayesh Bhoot <jysh@jysh.net> wrote:
>
> Hello,
>
> I am setting up a git server with Guix System with the following configur=
ation:
>
> - A git user with home directory set to /srv/git, so that git repos can b=
e hosted from /srv, and the repo urls can have the shortest path possible, =
like git@server:test-repo.git.
> - A git group to which the git user is assigned.
> - cgit-service-type to serve a read-only view of the repos, with nginx ac=
ting as the server.
>
> In order to serve the repos, nginx needs access to /srv/git. But, /srv/gi=
t, being a home directory, has the configuration of 700 git:git by default.=
 I need to loosen up its permissions to at least 750 so that the git group =
members can read the directory, and add nginx user to the git group.
>
> How do I encode the following withing the system-configuration.scm?
>
> - add nginx user to git supplementary group. Neither (cgit-service-type) =
not (nginx-configuration) provide option to edit nginx's supplementary grou=
p, and %nginx-accounts does not seem to be exported.
> - modify permissions of home directory /srv/git to 750. (user-account) do=
es not seem to have this option.

Unfortunately, some Guix services lack flexibility when it comes to
groups. The nginx service is one of them. My workaround for using
nginx and cgit together has been to make a modified nginx service that
adds the 'git' group to the 'nginx' user's supplementary groups.

Regarding file permissions, I use the gitolite service which creates a
home directory that's readable by the 'git' group.  To do so without
gitolite probably requires a similar modification of the cgit service
to modify the permission bits of the 'git' user's home directory.

Maybe my config source will help you:
https://git.dthompson.us/guix-config/tree/dthompson/machines/takemi.scm#n21

Good luck!

- Dave