services/cgit: add declarative public repo markers via Nix

Use strict-export=git-daemon-export-ok for visibility control.
Public repos: testing, nixtaml, nixtaml-website
Private repos: crash-web, gitolite-admin (SSH auth only)

Never make imperative changes - Nix is the source of truth.

1 files changed, 26 insertions, 0 deletions

diff --git a/services/cgit.nix b/services/cgit.nix
index e8e557e..a636ec2 100644
--- a/services/cgit.nix
+++ b/services/cgit.nix
@@ -82,6 +82,28 @@
       '';
     };
 
+    # Declarative public repository markers
+    systemd.services.cgit-public-repos = {
+      description = "Mark public repositories for cgit visibility";
+      wantedBy = [ "gitolite-init.service" ];
+      after = [ "gitolite-init.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "git";
+        Group = "git";
+      };
+      script = ''
+        # Public repos - visible on cgit web interface
+        touch /var/lib/gitolite/repositories/testing.git/git-daemon-export-ok
+        touch /var/lib/gitolite/repositories/nixtaml.git/git-daemon-export-ok
+        touch /var/lib/gitolite/repositories/nixtaml-website.git/git-daemon-export-ok
+
+        # Private repos - only accessible via SSH auth
+        rm -f /var/lib/gitolite/repositories/crash-web.git/git-daemon-export-ok
+        rm -f /var/lib/gitolite/repositories/gitolite-admin.git/git-daemon-export-ok
+      '';
+    };
+
   environment.etc."cgitrc".text = ''
     virtual-root=/
 
@@ -135,6 +157,10 @@
     source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
     about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
 
+    # Public/private visibility control
+    # Only repos with git-daemon-export-ok file are visible on web
+    strict-export=git-daemon-export-ok
+
     project-list=/var/lib/gitolite/projects.list
     scan-path=/var/lib/gitolite/repositories
   '';