feat(git): setup git server with cgit

author: Leander Scherer <leander@schererleander.de> 2026-03-13 11:48:21 +0100
committer: Leander Scherer <leander@schererleander.de> 2026-03-13 12:09:06 +0100
commit: f08a6c4d76108a5cf38394ce57e480c9ab412968 (patch)
tree: e2544790f51e1f8c22b3f9d90745fc4605bdc32c /modules/services
parent: ac9c19c49c26e588076e561c726355e1703dc421 (diff)
3 files changed, 65 insertions, 0 deletions
diff --git a/modules/services/cgit.nix b/modules/services/cgit.nix
new file mode 100644
index 0000000..ad99d3d
--- /dev/null
+++ b/modules/services/cgit.nix
@@ -0,0 +1,44 @@
+{
+  flake.modules.nixos.cgit =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      services.cgit."git-server" = {
+        enable = true;
+
+        scanPath = "/var/lib/git-server";
+
+        user = "git";
+        group = "git";
+
+        nginx.virtualHost = "git.schererleander.de";
+
+        gitHttpBackend = {
+          enable = true;
+          checkExportOkFiles = false;
+        };
+
+        settings = {
+          "root-title" = "My Git Repositories";
+          "root-desc" = "Self-hosted NixOS Git server";
+          "clone-url" =
+            "https://git.schererleander.de/$CGIT_REPO_URL ssh://git@git.schererleander.de/$CGIT_REPO_URL";
+          "enable-http-clone" = 1;
+          "enable-commit-graph" = 1;
+          "enable-log-filecount" = 1;
+          "enable-log-linecount" = 1;
+          "branch-sort" = "age";
+        };
+      };
+
+      services.nginx.virtualHosts."git.schererleander.de" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets."cert_fullchain".path;
+        sslCertificateKey = config.sops.secrets."cert_private".path;
+      };
+    };
+}
diff --git a/modules/services/git.nix b/modules/services/git.nix
new file mode 100644
index 0000000..5be5d58
--- /dev/null
+++ b/modules/services/git.nix
@@ -0,0 +1,19 @@
+{
+  flake.modules.nixos.git =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      users.users.git = {
+        isSystemUser = true;
+        group = "git";
+        home = "/var/lib/git-server";
+        createHome = true;
+        shell = "${pkgs.git}/bin/git-shell";
+      };
+      users.groups.git = { };
+    };
+}
diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix
index 68d1511..8bb530c 100644
--- a/modules/services/openssh.nix
+++ b/modules/services/openssh.nix
@@ -9,6 +9,8 @@
         enable = true;
         ports = [ 8693 ];
         settings = {
+					AllowTcpForwarding = false;
+					AllowAgentForwarding = false;
           PasswordAuthentication = false;
           X11Forwarding = false;
           PermitRootLogin = "yes";
author	Leander Scherer <leander@schererleander.de>	2026-03-13 11:48:21 +0100
committer	Leander Scherer <leander@schererleander.de>	2026-03-13 12:09:06 +0100
commit	f08a6c4d76108a5cf38394ce57e480c9ab412968 (patch)
tree	e2544790f51e1f8c22b3f9d90745fc4605bdc32c /modules/services
parent	ac9c19c49c26e588076e561c726355e1703dc421 (diff)