Re: Set up cgit with git-http-backend properly

[pelzflorian (Florian Pelz)]

Hi Simon,

what did you base your setup on?

Simon Streit <si...@netpanic.org> writes:
>      (locations
>       (list
>        (git-http-nginx-location-configuration
>         (git-http-configuration (uri-path "/")))

The guix repo has in file gnu/tests/version-control.scm the setting

(locations
 (list (git-http-nginx-location-configuration
        (git-http-configuration (export-all? #t)
                                (uri-path "/git")))))

with uri-path "/git".  I think you want "/" though because you have its own
domain.  Or maybe you want "".

When I still had a server, I had been using:

(nginx-configuration
 ;; Do not use gzip compression to avoid the BREACH attack on
 ;; TLSv1.2.  It could frustrate HTTPS.
 (server-blocks
  (let ((server-names '("mailbaby.de" "www.mailbaby.de")))
    (list (nginx-server-configuration
           (server-name server-names)
           (listen '("443 ssl http2" "[::]:443 ssl http2"))
           (root "/var/www")
           (ssl-certificate "\
/etc/letsencrypt/live/mailbaby.de/fullchain.pem")
           (ssl-certificate-key "\
/etc/letsencrypt/live/mailbaby.de/privkey.pem")
           (locations
            (list
             (nginx-location-configuration
              (uri "/cgit/") ;for cgit css
              (body
               `(("root " ,#~#$(file-append cgit "/share") ";"))))
             (nginx-location-configuration
              (uri "/git/")
              (body
               `(("include "
                  ,#~#$(file-append nginx
                                    "/share/nginx/conf/fastcgi_params")
                  ";")
                 ("fastcgi_param SCRIPT_FILENAME "
                  ,#~#$(file-append cgit "/lib/cgit/cgit.cgi") ";")
                 "fastcgi_param PATH_INFO $uri;"
                 "fastcgi_param QUERY_STRING $args;"
                 "fastcgi_param HTTP_HOST $server_name;"
                 "fastcgi_param HTTPS on;"
                 "fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;")))))
           ;; Rewriting of old URLs to new URLs is not yet necessary.
           (raw-content
            (list
             ;; TLS settings; remember to keep them up to date
             ;; with https://geekflare.com/ssl-test-certificate/
             "ssl_prefer_server_ciphers on;"
             "ssl_protocols TLSv1.2 TLSv1.3;"
             "ssl_dhparam /etc/dhparam;"
             "resolver ns01.domainssaubillig.de ipv6=off;"
             "ssl_stapling on;"
             "ssl_stapling_verify on;"
             "ssl_trusted_certificate \
/etc/letsencrypt/live/mailbaby.de/chain.pem;"
             "add_header Strict-Transport-Security \
\"max-age=31536000; includeSubDomains\" always;"
             "ssl_buffer_size 4k;"
             "ssl_session_tickets on;"
             "ssl_session_timeout 4h;"
             ;; Ciphers according to:
             ;; 
https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
             "ssl_ciphers \
TLS_CHACHA20_POLY1304_SHA256:\
TLS_AES_256_GCM_SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES256-SHA384:\
ECDHE-RSA-CHACHA20-POLY1305:\
DHE-RSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384;"
             ;; Adjust anti-DoS settings when HTTP errors occur.
             ;; See documentation for ngx_http_core_module.
             "client_body_timeout 15s;"
             "client_header_timeout 15s;"
             "client_max_body_size 4096k;"
             "keepalive_timeout 65;"))))))
 (extra-content "ssl_session_cache shared:SSL:40m;"))

[…]

(define fcgiwrap-home-activation
  #~(let ((out "/var/run/fcgiwrap")
          (user (getpwnam "nginx"))
          (group (getgrnam "nginx")))
      (mkdir-p out)
      (chown out (passwd:uid user) (group:gid group))
      (chmod out #o775)))

(define fcgiwrap-home-service
  (simple-service 'make-fcgiwrap-home activation-service-type
                  fcgiwrap-home-activation))

(define git-group-permissions-activation
  #~(let ((dir "/var/lib/gitolite"))
      (if (file-exists? dir)
          (chmod dir #o755)
          (format #t "WARNING: ~a does not exist yet; reconfigure again!"))))

(define git-services
  (list
   (service cgit-service-type
    (cgit-configuration
     (repository-directory "/var/lib/gitolite/repositories")
     (repositories
      (list
       (repository-cgit-configuration
        (url "git/gitolite-admin")
        (desc "Git configuration.")
        (path "/var/lib/gitolite/repositories/gitolite-admin.git"))
       (repository-cgit-configuration
        (url "git/machine-mailbaby-de")
        (desc "Guix System config.")
        (path "/var/lib/gitolite/repositories/machine-mailbaby-de.git"))
       (repository-cgit-configuration
        (url "git/mirror-of-gene-network")
        (desc "Mirror of Efraim Flashner's Guix channel.")
        (path "/var/lib/gitolite/repositories/mirror-of-gene-network.git"))))
     (enable-git-config? #t)
     (enable-index-owner? #f)
     (css "/cgit/cgit.css")
     (logo "/cgit/cgit.png")))
   (simple-service 'git-group-permissions activation-service-type
                   git-group-permissions-activation)))

Particularly note the (locations).  I think I had copied it and adapted
it from many places.  Can’t remember.

Regards,
Florian