Exposing Private Guix Channels via HTTPS with Per-Channel Authentication

We expose internal Guix channels over HTTPS using git-http-backend, Nginx, and HTTP basic authentication. This setup allows us to:

• Serve Guix channels securely over the web
• Enforce per-channel access control using .htpasswd files
• Avoid embedding credentials in channels.scm
• Keep channel access and source-fetch access decoupled

Design Summary

• Each channel is a bare Git repository under /home/git/repositories/
• Channels are served via Nginx over /git/<channel>.git
• Access is protected with per-channel .htpasswd files
• Users run guix pull using the clean channel URL (no embedded credentials)
• SSH is used for source fetching inside the channel when needed

Nginx Configuration Snippet

location ~ ^/git/channel-alpha.git(/.*)?$ {
    auth_basic "Restricted Channel Alpha";
    auth_basic_user_file /etc/nginx/htpasswd-channel-alpha;

    include /etc/nginx/fastcgi_params;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_param SCRIPT_FILENAME /run/current-system/profile/libexec/git-core/git-http-backend;
    fastcgi_param GIT_PROJECT_ROOT /home/git/repositories;
    fastcgi_param PATH_INFO $1;
    fastcgi_param REMOTE_USER $remote_user;
}

Repeat with appropriate changes for other channels (e.g., channel-beta.git, with its own .htpasswd).

File Structure

/home/git/repositories/channel-alpha.git/ # bare Git repo

User Setup

Users configure ~/.config/guix/channels.scm like this:

(list
 (channel
  (name 'channel-alpha)
  (url "https://kokyou.dev/git/channel-alpha.git")
  (introduction
   (make-channel-introduction
    "commit-hash"
    (openpgp-fingerprint "AAAA BBBB CCCC ...")))))

On first pull, they’ll be prompted for HTTP credentials (as per Nginx .htpasswd file).

No credentials are embedded in the URL or stored in the channel file.

Best Practices

Disable GIT_HTTP_EXPORT_ALL globally, and rely on explicit git-daemon-export-ok files only if needed