From 5d01cdd0e98d0efbff5fa09f3b83a2aa6fa510dd Mon Sep 17 00:00:00 2001
From: Caroline Larimore <caroline@larimo.re>
Date: Tue, 3 Mar 2026 00:33:11 -0800
Subject: cgit: client cert auth

---
 modules/nixos/services/web/cgit/default.nix | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

(limited to 'modules/nixos/services/web/cgit/default.nix')

diff --git a/modules/nixos/services/web/cgit/default.nix b/modules/nixos/services/web/cgit/default.nix
index 2c8139c..e33971e 100644
--- a/modules/nixos/services/web/cgit/default.nix
+++ b/modules/nixos/services/web/cgit/default.nix
@@ -52,8 +52,7 @@ in {
       "private" = {
         enable = true;
         scanPath = cfg.path;
-        nginx.virtualHost = cfg.virtualHost;
-        nginx.location = "/private/";
+        nginx.virtualHost = "private.${cfg.virtualHost}";
 
         user = "git";
         group = "git";
@@ -72,11 +71,15 @@ in {
         "${cfg.virtualHost}" = {
           addSSL = true;
           enableACME = true;
-          locations."/private/" = {
-            basicAuth = {
-              c = "password";
-            };
-          };
+        };
+        "private.${cfg.virtualHost}" = {
+          addSSL = true;
+          enableACME = true;
+
+          extraConfig = ''
+            ssl_client_certificate ${./ca.crt};
+            ssl_verify_client on;
+          '';
         };
       };
     };
-- 
cgit v1.2.3