How do I put assign supplementary groups to nginx user?

How do I put assign supplementary groups to nginx user?

[Jayesh Bhoot]

Hello,

I am setting up a git server with Guix System with the following configuration:

- A git user with home directory set to /srv/git, so that git repos can be hosted from /srv, and the repo urls can have the shortest path possible, like git@server:test-repo.git.
- A git group to which the git user is assigned.
- cgit-service-type to serve a read-only view of the repos, with nginx acting as the server.

In order to serve the repos, nginx needs access to /srv/git. But, /srv/git, being a home directory, has the configuration of 700 git:git by default. I need to loosen up its permissions to at least 750 so that the git group members can read the directory, and add nginx user to the git group.

How do I encode the following withing the system-configuration.scm?

- add nginx user to git supplementary group. Neither (cgit-service-type) not (nginx-configuration) provide option to edit nginx's supplementary group, and %nginx-accounts does not seem to be exported.
- modify permissions of home directory /srv/git to 750. (user-account) does not seem to have this option.

I saw a similar question in the mailing list from 2017, but that one didn't end with a solution: https://lists.gnu.org/archive/html/help-guix/2017-06/msg00052.html

P.S.: Please interpert all of the above with the context that I have spent only about a weekend with Guix and Guile.

Re: How do I put assign supplementary groups to nginx user?

[Thompson, David]

Hi Jayesh,

On Tue, Mar 19, 2024 at 2:44 AM Jayesh Bhoot <jysh@jysh.net> wrote:
>
> Hello,
>
> I am setting up a git server with Guix System with the following configuration:
>
> - A git user with home directory set to /srv/git, so that git repos can be hosted from /srv, and the repo urls can have the shortest path possible, like git@server:test-repo.git.
> - A git group to which the git user is assigned.
> - cgit-service-type to serve a read-only view of the repos, with nginx acting as the server.
>
> In order to serve the repos, nginx needs access to /srv/git. But, /srv/git, being a home directory, has the configuration of 700 git:git by default. I need to loosen up its permissions to at least 750 so that the git group members can read the directory, and add nginx user to the git group.
>
> How do I encode the following withing the system-configuration.scm?
>
> - add nginx user to git supplementary group. Neither (cgit-service-type) not (nginx-configuration) provide option to edit nginx's supplementary group, and %nginx-accounts does not seem to be exported.
> - modify permissions of home directory /srv/git to 750. (user-account) does not seem to have this option.

Unfortunately, some Guix services lack flexibility when it comes to
groups. The nginx service is one of them. My workaround for using
nginx and cgit together has been to make a modified nginx service that
adds the 'git' group to the 'nginx' user's supplementary groups.

Regarding file permissions, I use the gitolite service which creates a
home directory that's readable by the 'git' group.  To do so without
gitolite probably requires a similar modification of the cgit service
to modify the permission bits of the 'git' user's home directory.

Maybe my config source will help you:
https://git.dthompson.us/guix-config/tree/dthompson/machines/takemi.scm#n21

Good luck!

- Dave