Exposing Private Guix Channels via HTTPS with Per-Channel Authentication

We expose internal Guix channels over HTTPS using git-http-backend, Nginx, and HTTP basic authentication. This setup allows us to:

• Serve Guix channels securely over the web
• Enforce per-channel access control using .htpasswd files
• Avoid embedding credentials in channels.scm
• Keep channel access and source-fetch access decoupled

Design Summary

• Each channel is a bare Git repository under /home/git/repositories/
• Channels are served via Nginx over /git/<channel>.git
• Access is protected with per-channel .htpasswd files
• Users run guix pull using the clean channel URL (no embedded credentials)
• SSH is used for source fetching inside the channel when needed

Nginx Configuration Snippet

{{{#! location ~ ^{/git/channel-alpha.git(/.*)?$ {}

auth_basic "Restricted Channel Alpha"; auth_basic_user_file /etc/nginx/htpasswd-channel-alpha;

include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME /run/current-system/profile/libexec/git-core/git-http-backend; fastcgi_param GIT_PROJECT_ROOT /home/git/repositories; fastcgi_param PATH_INFO $1; fastcgi_param REMOTE_USER $remote_user;

} }}}

Repeat with appropriate changes for other channels (e.g., channel-beta.git, with its own .htpasswd).

File Structure

/home/git/repositories/channel-alpha.git/ # bare Git repo

User Setup

Users configure ~/.config/guix/channels.scm like this:

{{{#! (list

(channel

(name 'channel-alpha) (url "​https://kokyou.dev/git/channel-alpha.git") (introduction

(make-channel-introduction

"commit-hash" (openpgp-fingerprint "AAAA BBBB CCCC ...")))))

}}}

On first pull, they’ll be prompted for HTTP credentials (as per Nginx .htpasswd file).

No credentials are embedded in the URL or stored in the channel file.

Best Practices

Disable GIT_HTTP_EXPORT_ALL globally, and rely on explicit git-daemon-export-ok files only if needed