| | 1 | = Exposing Private Guix Channels via HTTPS with Per-Channel Authentication |
| | 2 | |
| | 3 | We expose internal Guix channels over HTTPS using git-http-backend, Nginx, and HTTP basic authentication. This setup allows us to: |
| | 4 | |
| | 5 | * Serve Guix channels securely over the web |
| | 6 | * Enforce per-channel access control using .htpasswd files |
| | 7 | * Avoid embedding credentials in channels.scm |
| | 8 | * Keep channel access and source-fetch access decoupled |
| | 9 | |
| | 10 | == Design Summary |
| | 11 | |
| | 12 | * Each channel is a bare Git repository under /home/git/repositories/ |
| | 13 | * Channels are served via Nginx over /git/<channel>.git |
| | 14 | * Access is protected with per-channel .htpasswd files |
| | 15 | * Users run guix pull using the clean channel URL (no embedded credentials) |
| | 16 | * SSH is used for source fetching inside the channel when needed |
| | 17 | |
| | 18 | == Nginx Configuration Snippet |
| | 19 | |
| | 20 | {{{#! |
| | 21 | location ~ ^/git/channel-alpha.git(/.*)?$ { |
| | 22 | auth_basic "Restricted Channel Alpha"; |
| | 23 | auth_basic_user_file /etc/nginx/htpasswd-channel-alpha; |
| | 24 | |
| | 25 | include /etc/nginx/fastcgi_params; |
| | 26 | fastcgi_pass 127.0.0.1:9000; |
| | 27 | fastcgi_param SCRIPT_FILENAME /run/current-system/profile/libexec/git-core/git-http-backend; |
| | 28 | fastcgi_param GIT_PROJECT_ROOT /home/git/repositories; |
| | 29 | fastcgi_param PATH_INFO $1; |
| | 30 | fastcgi_param REMOTE_USER $remote_user; |
| | 31 | } |
| | 32 | }}} |
| | 33 | |
| | 34 | Repeat with appropriate changes for other channels (e.g., channel-beta.git, with its own .htpasswd). |
| | 35 | |
| | 36 | == File Structure |
| | 37 | |
| | 38 | /home/git/repositories/channel-alpha.git/ # bare Git repo |
| | 39 | |
| | 40 | == User Setup |
| | 41 | |
| | 42 | Users configure ~/.config/guix/channels.scm like this: |
| | 43 | |
| | 44 | {{{#! |
| | 45 | (list |
| | 46 | (channel |
| | 47 | (name 'channel-alpha) |
| | 48 | (url "https://kokyou.dev/git/channel-alpha.git") |
| | 49 | (introduction |
| | 50 | (make-channel-introduction |
| | 51 | "commit-hash" |
| | 52 | (openpgp-fingerprint "AAAA BBBB CCCC ..."))))) |
| | 53 | }}} |
| | 54 | |
| | 55 | On first pull, they’ll be prompted for HTTP credentials (as per Nginx .htpasswd file). |
| | 56 | |
| | 57 | No credentials are embedded in the URL or stored in the channel file. |
| | 58 | |
| | 59 | == Best Practices |
| | 60 | |
| | 61 | Disable GIT_HTTP_EXPORT_ALL globally, and rely on explicit git-daemon-export-ok files only if needed |
