From f08a6c4d76108a5cf38394ce57e480c9ab412968 Mon Sep 17 00:00:00 2001
From: Leander Scherer <leander@schererleander.de>
Date: Fri, 13 Mar 2026 11:48:21 +0100
Subject: feat(git): setup git server with cgit

---
 modules/services/cgit.nix    | 44 ++++++++++++++++++++++++++++++++++++++++++++
 modules/services/git.nix     | 19 +++++++++++++++++++
 modules/services/openssh.nix |  2 ++
 3 files changed, 65 insertions(+)
 create mode 100644 modules/services/cgit.nix
 create mode 100644 modules/services/git.nix

(limited to 'modules/services')

diff --git a/modules/services/cgit.nix b/modules/services/cgit.nix
new file mode 100644
index 0000000..ad99d3d
--- /dev/null
+++ b/modules/services/cgit.nix
@@ -0,0 +1,44 @@
+{
+  flake.modules.nixos.cgit =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      services.cgit."git-server" = {
+        enable = true;
+
+        scanPath = "/var/lib/git-server";
+
+        user = "git";
+        group = "git";
+
+        nginx.virtualHost = "git.schererleander.de";
+
+        gitHttpBackend = {
+          enable = true;
+          checkExportOkFiles = false;
+        };
+
+        settings = {
+          "root-title" = "My Git Repositories";
+          "root-desc" = "Self-hosted NixOS Git server";
+          "clone-url" =
+            "https://git.schererleander.de/$CGIT_REPO_URL ssh://git@git.schererleander.de/$CGIT_REPO_URL";
+          "enable-http-clone" = 1;
+          "enable-commit-graph" = 1;
+          "enable-log-filecount" = 1;
+          "enable-log-linecount" = 1;
+          "branch-sort" = "age";
+        };
+      };
+
+      services.nginx.virtualHosts."git.schererleander.de" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets."cert_fullchain".path;
+        sslCertificateKey = config.sops.secrets."cert_private".path;
+      };
+    };
+}
diff --git a/modules/services/git.nix b/modules/services/git.nix
new file mode 100644
index 0000000..5be5d58
--- /dev/null
+++ b/modules/services/git.nix
@@ -0,0 +1,19 @@
+{
+  flake.modules.nixos.git =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      users.users.git = {
+        isSystemUser = true;
+        group = "git";
+        home = "/var/lib/git-server";
+        createHome = true;
+        shell = "${pkgs.git}/bin/git-shell";
+      };
+      users.groups.git = { };
+    };
+}
diff --git a/modules/services/openssh.nix b/modules/services/openssh.nix
index 68d1511..8bb530c 100644
--- a/modules/services/openssh.nix
+++ b/modules/services/openssh.nix
@@ -9,6 +9,8 @@
         enable = true;
         ports = [ 8693 ];
         settings = {
+					AllowTcpForwarding = false;
+					AllowAgentForwarding = false;
           PasswordAuthentication = false;
           X11Forwarding = false;
           PermitRootLogin = "yes";
-- 
cgit v1.3.1