cgit: client cert auth

2 files changed, 41 insertions, 7 deletions

diff --git a/modules/nixos/services/web/cgit/ca.crt b/modules/nixos/services/web/cgit/ca.crt
new file mode 100644
index 0000000..45156da
--- /dev/null
+++ b/modules/nixos/services/web/cgit/ca.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFZTCCA02gAwIBAgIUPjIi+YtJg6XTncDUIzI4/5ZwYx0wDQYJKoZIhvcNAQEL
+BQAwQjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9y
+dGxhbmQxDzANBgNVBAoMBmN4bC5zaDAeFw0yNjAzMDMwODI1MjhaFw0yNzAzMDMw
+ODI1MjhaMEIxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcM
+CFBvcnRsYW5kMQ8wDQYDVQQKDAZjeGwuc2gwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDpjWYj0L77oAS8zlTQ0vz9R0fahAzM2Smj4RRooKsnl27JX4dl
+GHaKnqSLFZPnvMzFm/dZAhKhK+GvtRCZFo4snzqJArmf9jd1rRr5mHau09LWRRjo
+13uB2Jpz3sHApk/IB4X6jY2jAHDnRLffUJWnjRBuL9JQF6DrYZQJyYB5NED1H4VC
+mMFnMSt/vTiHI0zmTUQ32kD4wJ2aabIXajY7xilvBK6+ojd1bzJrPjnpjxyhETPG
+oD9zJhv7FpGo3ZTRxT7/ThqRn59diaosJmv+4t9IIu2aRYZBswOH3hi9LeG+VKvb
+T+Qt3v53GwSlXyPr7gOAULXUulXRdbhSXcvLDGTGkHw6NR/COqPJQXcX2Tsw8rtd
+qx9Uipls5PMehDcj+YvnY0SH6Rq9Rxzy3sXAlnjj9LJ4w2+5EOWn9kYXz3mViTJO
+s9iCGO3KEVqMYfIIvbf4UJzx71HE6HMkD+3tZaAtLlyu17U8qEa+CMnQe9nMlwn6
+Fr3PDubD97mscMtgRL5M1GgHIxIKSQ5IolrCy4gUYlxBbx7BfoK0eDY9j0ZTuWlG
++a/Qr05a3xXHe7wZzVexF+/U/LI7MvpldcpiNKQUeV5ROsEFFwqajc9syKpR/pto
+oc2mNogfnnk2BRCBsDPQPk/dPwRzXSheSKF8Zr/RQ/bJ0lOU2OCh5i1QtwIDAQAB
+o1MwUTAdBgNVHQ4EFgQU5bI59TE9BUJm/nlQQPSwInAs1ccwHwYDVR0jBBgwFoAU
+5bI59TE9BUJm/nlQQPSwInAs1ccwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAgEAIVcnN67lf8hriVvrGf4wsL8yCBFRGyNx8qrkMpD3DLlXrGRgMwl1
+F7pgbaA7zWhOtc4XyRq/FBVRLVbX36Nyp6BKLj0aR8+qPxaqGq1fKOVDYdeoajtR
+WG7As+dgaSRBjNPG+pnC0UCquOySBizNiGsuSQy5/BVdNp/5yB1P7kk//Gcjb7Is
+ZdEp3hDXCinUQlXrWTVUKwlEfd0gYFjQwVcVZpDZHKF9JsfImCuNvTmA8fbtHAOT
++heuAFcR/u09j5KANn58ynU9yUefxB5hx0MMKqWRcao9YWFOP12X9PyZWIuRxdw4
+8H1JEjHg/QIi5/YfRU609VandHRU/utPGMb/hJ9vsf4LzS0B15Nj14AgpgDeP3si
+zF5OjXn9vCucaqH43qKlhcW3TvscMGpj6ogkQB/eH8qLhcXuXmXUK0sfrLSntKdi
+fWNznbW2zw6JRmkE6jgEFlNwqOu3d47Rhs69YT4+wX6KAXRk8VYQ9JPQ8P9Bz3Nj
+G1YguLZwFkkoTSwpqH460z3UqkQNuaNUDgBRRVX+syUIPnFNxliwSm8F6aOPLqbm
+src9zFQ1JBOS1GCVzJxTgN+sQpW6DP/NVQ4HOw1O/vzuK9bYCsIkbJYX1TVAZoog
+Jbs6ke9+UzHTq466d3HjBecFZLoiJgdiiSbJveoANRY3pF/oCvQHjW4=
+-----END CERTIFICATE-----
diff --git a/modules/nixos/services/web/cgit/default.nix b/modules/nixos/services/web/cgit/default.nix
index 2c8139c..e33971e 100644
--- a/modules/nixos/services/web/cgit/default.nix
+++ b/modules/nixos/services/web/cgit/default.nix
@@ -52,8 +52,7 @@ in {
       "private" = {
         enable = true;
         scanPath = cfg.path;
-        nginx.virtualHost = cfg.virtualHost;
-        nginx.location = "/private/";
+        nginx.virtualHost = "private.${cfg.virtualHost}";
 
         user = "git";
         group = "git";
@@ -72,11 +71,15 @@ in {
         "${cfg.virtualHost}" = {
           addSSL = true;
           enableACME = true;
-          locations."/private/" = {
-            basicAuth = {
-              c = "password";
-            };
-          };
+        };
+        "private.${cfg.virtualHost}" = {
+          addSSL = true;
+          enableACME = true;
+
+          extraConfig = ''
+            ssl_client_certificate ${./ca.crt};
+            ssl_verify_client on;
+          '';
         };
       };
     };