add cgit service

2 files changed, 128 insertions, 0 deletions

diff --git a/modules/root/cgit.nix b/modules/root/cgit.nix
new file mode 100644
index 0000000..f3814cd
--- /dev/null
+++ b/modules/root/cgit.nix
@@ -0,0 +1,126 @@
+{ lib, pkgs, config, userDetails, ... }:
+let
+	cfg = config.cgit;
+in{
+	options = {
+		cgit = {
+			enable = lib.mkEnableOption "enables cgit service";
+			hostAddress = lib.mkOption {
+				type = lib.types.str;
+				description = "hostAddress for the container";
+				default = "10.0.1.1";
+			};
+			localAddress = lib.mkOption {
+				type = lib.types.str;
+				description = "localAddress for the container";
+				default = "10.0.1.2";
+			};
+			rootTitle = lib.mkOption {
+				type = lib.types.str;
+				description = "cgit site title";
+				default = "";
+			};
+			rootDesc = lib.mkOption {
+				type = lib.types.str;
+				description = "cgit site description";
+				default = "";
+			};
+			extraConfig = lib.mkOption {
+				type = lib.types.str;
+				description = "cgitrc lines inserted verbatim at the end";
+				default = "";
+			};
+		};
+	};
+
+	config = lib.mkIf config.cgit.enable {
+		# Configure cgit container
+		containers.cgit = {
+			autoStart = true;
+			privateNetwork = true;
+			hostAddress  = cfg.hostAddress;
+			localAddress = cfg.localAddress;
+
+			specialArgs = {
+				authorizedKeys = userDetails.sshPublicKeys;
+				cgitrc = with cfg; {
+					inherit rootTitle;
+					inherit rootDesc;
+					inherit extraConfig;
+				};
+			};
+
+			config = { lib, config, authorizedKeys, cgitrc, ... }: {
+				# Create git user for ssh access
+				users.users.git = {
+					isNormalUser = true;
+					home = "/srv/git";  # Serve from git user's home to allow cloning git@cgit:repo
+					group = "git";
+					createHome = true;
+					homeMode = "750";  # Allow read permissions for group members
+					shell = pkgs.bash;
+					openssh.authorizedKeys.keys = authorizedKeys;
+				};
+				users.groups.git.members = [ "lighttpd" ];  # Create the git group and add lighttpd user as a member so /srv/git can be served by cgit
+
+				# Enable git
+				programs.git.enable = true;
+
+				# Enable ssh service
+				services.openssh.enable = true;
+
+				# Enable cgit service
+				services.lighttpd.enable = true;
+				services.lighttpd.cgit = {
+					enable = true;
+					#subdir = "";  # FIXME this does not work for some reason
+					configText = ''
+						# Based on joseluisq/alpine-cgit
+						root-title=${cgitrc.rootTitle}
+						root-desc=${cgitrc.rootDesc}
+
+						source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+						about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+
+						readme=:README.md
+						readme=:README.html
+						readme=:README.txt
+						readme=:README
+						readme=:INSTALL.md
+						readme=:INSTALL.html
+						readme=:INSTALL.txt
+						readme=:INSTALL
+
+						# Cache
+						#cache-root=/var/cache/cgit
+						#cache-size=2000
+
+						enable-index-links=1
+						enable-index-owner=0
+						enable-remote-branches=1
+						enable-log-filecount=1
+						enable-log-linecount=1
+						enable-git-config=1
+						snapshots=tar.xz zip
+
+						robots=noindex, nofollow
+
+						virtual-root=/cgit
+						section-from-path=0
+						max-repo-count=100
+						scan-path=/srv/git
+
+						# extra config
+						${cgitrc.extraConfig}
+					'';
+				};
+
+				# Networking, etc.
+				networking.firewall.allowedTCPPorts = [ 80 22 ];
+				networking.hostName = "cgit";
+
+				system.stateVersion = "25.05";
+			};
+		};
+	};
+}
diff --git a/modules/root/default.nix b/modules/root/default.nix
index 9d288dc..5d62584 100644
--- a/modules/root/default.nix
+++ b/modules/root/default.nix
@@ -4,6 +4,7 @@
 		./autologin.nix
 		./bluetooth.nix
 		./bootloader.nix
+		./cgit.nix
 		./doas.nix
 		./firewall.nix
 		./fonts.nix
@@ -30,6 +31,7 @@
 	autologin.enable       = lib.mkDefault true;
 	avahi.enable           = lib.mkDefault true;
 	bluetooth.enable       = lib.mkDefault false;
+	cgit.enable            = lib.mkDefault false;
 	doas.enable            = lib.mkDefault true;
 	fonts.enable           = lib.mkDefault true;
 	nas = {