Set up cgit with git-http-backend properly

Set up cgit with git-http-backend properly

[Simon Streit]

Hello!

Lately I've been running a cgit instance serving a local Guix channel
with my own personal modifications.

Here's my code snippet:
--8<---------------cut here---------------start------------->8---
(service
 cgit-service-type
 (cgit-configuration
  (enable-git-config? #t)
  (remove-suffix? #t)
  (root-title "git.example.com")
  (clone-prefix (list "https://git.example.com"))
  (strict-export "git-daemon-export-ok")
  (nginx
   (list
    (nginx-server-configuration
     (server-name '("git.example.com"))
     (root cgit)
     (locations
      (list
       (git-http-nginx-location-configuration
        (git-http-configuration (uri-path "/")))
       (nginx-location-configuration
	(uri "@cgit")
	(body '("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;"
	        "fastcgi_param PATH_INFO $uri;"
	        "fastcgi_param QUERY_STRING $args;"
	        "fastcgi_param HTTP_HOST $server_name;"
	        "fastcgi_pass 127.0.0.1:9000;")))))
     (try-files (list "$uri" "@cgit"))
     (ssl-certificate "/etc/letsencrypt/live/example.com/fullchain.pem")
     (ssl-certificate-key "/etc/letsencrypt/live/example.com/privkey.pem"))))))
--8<---------------cut here---------------end--------------->8---

With this setting running guix pull onto a channel will error out:
--8<---------------cut here---------------start------------->8---
guix pull: error: Git error: invalid content-type: 'text/plain; charset=UTF-8'
--8<---------------cut here---------------end--------------->8---

Which appears that my nginx instance or cgit is still serving git
repositories over git's old dumb http protocol instead of providing it
over git-http-backend.  The logs in nginx are suggesting no error
though.

Chances are that I got it wrong from reading the manual.  Has anyone
else set this up yet?  It'd be grand to have this working.


Thanks in advance!
Simon

Re: Set up cgit with git-http-backend properly

[pelzflorian (Florian Pelz)]

Hi Simon,

what did you base your setup on?

Simon Streit <simon@netpanic.org> writes:
>      (locations
>       (list
>        (git-http-nginx-location-configuration
>         (git-http-configuration (uri-path "/")))

The guix repo has in file gnu/tests/version-control.scm the setting

(locations
 (list (git-http-nginx-location-configuration
        (git-http-configuration (export-all? #t)
                                (uri-path "/git")))))

with uri-path "/git".  I think you want "/" though because you have its own
domain.  Or maybe you want "".

When I still had a server, I had been using:

(nginx-configuration
 ;; Do not use gzip compression to avoid the BREACH attack on
 ;; TLSv1.2.  It could frustrate HTTPS.
 (server-blocks
  (let ((server-names '("mailbaby.de" "www.mailbaby.de")))
    (list (nginx-server-configuration
           (server-name server-names)
           (listen '("443 ssl http2" "[::]:443 ssl http2"))
           (root "/var/www")
           (ssl-certificate "\
/etc/letsencrypt/live/mailbaby.de/fullchain.pem")
           (ssl-certificate-key "\
/etc/letsencrypt/live/mailbaby.de/privkey.pem")
           (locations
            (list
             (nginx-location-configuration
              (uri "/cgit/") ;for cgit css
              (body
               `(("root " ,#~#$(file-append cgit "/share") ";"))))
             (nginx-location-configuration
              (uri "/git/")
              (body
               `(("include "
                  ,#~#$(file-append nginx
                                    "/share/nginx/conf/fastcgi_params")
                  ";")
                 ("fastcgi_param SCRIPT_FILENAME "
                  ,#~#$(file-append cgit "/lib/cgit/cgit.cgi") ";")
                 "fastcgi_param PATH_INFO $uri;"
                 "fastcgi_param QUERY_STRING $args;"
                 "fastcgi_param HTTP_HOST $server_name;"
                 "fastcgi_param HTTPS on;"
                 "fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;")))))
           ;; Rewriting of old URLs to new URLs is not yet necessary.
           (raw-content
            (list
             ;; TLS settings; remember to keep them up to date
             ;; with https://geekflare.com/ssl-test-certificate/
             "ssl_prefer_server_ciphers on;"
             "ssl_protocols TLSv1.2 TLSv1.3;"
             "ssl_dhparam /etc/dhparam;"
             "resolver ns01.domainssaubillig.de ipv6=off;"
             "ssl_stapling on;"
             "ssl_stapling_verify on;"
             "ssl_trusted_certificate \
/etc/letsencrypt/live/mailbaby.de/chain.pem;"
             "add_header Strict-Transport-Security \
\"max-age=31536000; includeSubDomains\" always;"
             "ssl_buffer_size 4k;"
             "ssl_session_tickets on;"
             "ssl_session_timeout 4h;"
             ;; Ciphers according to:
             ;; https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
             "ssl_ciphers \
TLS_CHACHA20_POLY1304_SHA256:\
TLS_AES_256_GCM_SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES256-SHA384:\
ECDHE-RSA-CHACHA20-POLY1305:\
DHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384;"
             ;; Adjust anti-DoS settings when HTTP errors occur.
             ;; See documentation for ngx_http_core_module.
             "client_body_timeout 15s;"
             "client_header_timeout 15s;"
             "client_max_body_size 4096k;"
             "keepalive_timeout 65;"))))))
 (extra-content "ssl_session_cache shared:SSL:40m;"))

[…]

(define fcgiwrap-home-activation
  #~(let ((out "/var/run/fcgiwrap")
          (user (getpwnam "nginx"))
          (group (getgrnam "nginx")))
      (mkdir-p out)
      (chown out (passwd:uid user) (group:gid group))
      (chmod out #o775)))

(define fcgiwrap-home-service
  (simple-service 'make-fcgiwrap-home activation-service-type
                  fcgiwrap-home-activation))

(define git-group-permissions-activation
  #~(let ((dir "/var/lib/gitolite"))
      (if (file-exists? dir)
          (chmod dir #o755)
          (format #t "WARNING: ~a does not exist yet; reconfigure again!"))))

(define git-services
  (list
   (service cgit-service-type
    (cgit-configuration
     (repository-directory "/var/lib/gitolite/repositories")
     (repositories
      (list
       (repository-cgit-configuration
        (url "git/gitolite-admin")
        (desc "Git configuration.")
        (path "/var/lib/gitolite/repositories/gitolite-admin.git"))
       (repository-cgit-configuration
        (url "git/machine-mailbaby-de")
        (desc "Guix System config.")
        (path "/var/lib/gitolite/repositories/machine-mailbaby-de.git"))
       (repository-cgit-configuration
        (url "git/mirror-of-gene-network")
        (desc "Mirror of Efraim Flashner's Guix channel.")
        (path "/var/lib/gitolite/repositories/mirror-of-gene-network.git"))))
     (enable-git-config? #t)
     (enable-index-owner? #f)
     (css "/cgit/cgit.css")
     (logo "/cgit/cgit.png")))
   (simple-service 'git-group-permissions activation-service-type
                   git-group-permissions-activation)))

Particularly note the (locations).  I think I had copied it and adapted
it from many places.  Can’t remember.

Regards,
Florian

Re: Set up cgit with git-http-backend properly

[Simon Streit]

Hello Florian,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> writes:

> what did you base your setup on?

I've been trying to figure it out from the manual and could have found a
config snippet months ago while setting it up.  It has not worked as
expected since.

> with uri-path "/git".  I think you want "/" though because you have
> its own domain.  Or maybe you want "".

To keep things simple I'm only trying to get it working with
‘git-http-nginx-location-configuration’ now.  So far it appears that it
only works when ‘uri-path’ is anything else than "" or "/".

Looking at the service definition in ‘gnu/services/version-contro.scm’
"" and "/" are the same the output of nginx' config file.  After
modifying

(string-append "~ /" (string-trim-both uri-path #\/) "(/.*)")

to

(string-append "~ " (string-trim-both uri-path #\/) "(/.*)")

serving and cloning from https://git.example.com/repo(.git) works now.
But it doesn't when cgit is enabled and serving repositories in the same
path at the same time.

Good news is that I'm at a step further now and have it working with:

(nginx-server-configuration
 (server-name '("git.example.com"))
 (root cgit)
 (try-files (list "$uri" "@cgit"))
 (locations
  (list
   (nginx-location-configuration
    (uri "@cgit")
    (body '("fastcgi_param SCRIPT_FILENAME $document_root/lib/cgit/cgit.cgi;"
	    "fastcgi_param PATH_INFO $uri;"
	    "fastcgi_param QUERY_STRING $args;"
	    "fastcgi_param HTTP_HOST $server_name;"
	    "fastcgi_pass 127.0.0.1:9000;")))
   (git-http-nginx-location-configuration
    (git-http-configuration))
   (nginx-location-configuration (uri "/.well-known")
                                 (body '("root /var/www;")))))
 (ssl-certificate "/etc/letsencrypt/live/example.com/fullchain.pem")
 (ssl-certificate-key "/etc/letsencrypt/live/example.com/privkey.pem"))

Though I still rather not keep the URL at
‘http://git.example.com/git/REPO(.git)’ for cloning.

Is there maybe another way around this?

Re: Set up cgit with git-http-backend properly

[Simon Streit]

Simon Streit <simon@netpanic.org> writes:

> Though I still rather not keep the URL at
> ‘http://git.example.com/git/REPO(.git)’ for cloning.

I just realised, that this is only a cosmetic view that can be left
as it is.


Simon 

Re: Set up cgit with git-http-backend properly

[pelzflorian (Florian Pelz)]

Hello Simon.

Simon Streit <simon@netpanic.org> writes:
> After
> modifying
>
> (string-append "~ /" (string-trim-both uri-path #\/) "(/.*)")
>
> to
>
> (string-append "~ " (string-trim-both uri-path #\/) "(/.*)")
>
> serving and cloning from https://git.example.com/repo(.git) works now.
> But it doesn't when cgit is enabled and serving repositories in the same
> path at the same time.

Glad you have a working setup.  Though this sounds like even cgit cannot
be served from / even if the Guix service definition were fixed.  But
<https://wiki.archlinux.org/title/Cgit#Nginx> looks like a configuration
that seems to use /, though instead of "~ /" they special-case the paths
under /.

Regards,
Florian