= Exposing Private Guix Channels via HTTPS with Per-Channel Authentication We expose internal Guix channels over HTTPS using git-http-backend, Nginx, and HTTP basic authentication. This setup allows us to: * Serve Guix channels securely over the web * Enforce per-channel access control using .htpasswd files * Avoid embedding credentials in channels.scm * Keep channel access and source-fetch access decoupled == Design Summary * Each channel is a bare Git repository under /home/git/repositories/ * Channels are served via Nginx over /git/.git * Access is protected with per-channel .htpasswd files * Users run guix pull using the clean channel URL (no embedded credentials) * SSH is used for source fetching inside the channel when needed == Nginx Configuration Snippet {{{#! location ~ ^/git/channel-alpha.git(/.*)?$ { auth_basic "Restricted Channel Alpha"; auth_basic_user_file /etc/nginx/htpasswd-channel-alpha; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME /run/current-system/profile/libexec/git-core/git-http-backend; fastcgi_param GIT_PROJECT_ROOT /home/git/repositories; fastcgi_param PATH_INFO $1; fastcgi_param REMOTE_USER $remote_user; } }}} Repeat with appropriate changes for other channels (e.g., channel-beta.git, with its own .htpasswd). == File Structure /home/git/repositories/channel-alpha.git/ # bare Git repo == User Setup Users configure ~/.config/guix/channels.scm like this: {{{#! (list (channel (name 'channel-alpha) (url "https://kokyou.dev/git/channel-alpha.git") (introduction (make-channel-introduction "commit-hash" (openpgp-fingerprint "AAAA BBBB CCCC ..."))))) }}} On first pull, they’ll be prompted for HTTP credentials (as per Nginx .htpasswd file). No credentials are embedded in the URL or stored in the channel file. == Best Practices Disable GIT_HTTP_EXPORT_ALL globally, and rely on explicit git-daemon-export-ok files only if needed