feat(ops/nixos/camden): Set up cgit service

Adds a user & group which are configured to own the local depot copy,
and a cgit service to serve it.

The depot checkout was configured as:

  mkdir -p /var/git && chown git: /var/git

  # now, as the git user, in /var/git
  git clone --bare ... depot
  chmod -R g+rw /var/git
  chmod g+s (find /var/git -type d)
  git init --bare --shared=all depot

My personal user is a member of the git group, which means that after
the above configuration I can push to the bare repo as my user and
things work.

Also, crucially, the `post-update` hook must be enabled as cgit uses
the dumb HTTP transport.

ops/nixos/camden/default.nix

@@ -93,11 +93,21 @@ in pkgs.lib.fix(self: {
       curl emacs26-nox gnupg pass pciutils direnv
     ]);
 
-  users.users.tazjin = {
+  users = {
-    isNormalUser = true;
+    # Set up my own user for logging in and doing things ...
-    uid = 1000;
+    users.tazjin = {
-    extraGroups = [ "wheel" ];
+      isNormalUser = true;
-    shell = nixpkgs.fish;
+      uid = 1000;
+      extraGroups = [ "git" "wheel" ];
+      shell = nixpkgs.fish;
+    };
+
+    # Set up a user & group for general git shenanigans
+    groups.git = {};
+    users.git = {
+      group = "git";
+      isNormalUser = false;
+    };
   };
 
   # Services setup
@@ -121,6 +131,18 @@ in pkgs.lib.fix(self: {
     } ;
   };
 
+  # Run cgit for the depot. The onion here is nginx(thttpd(cgit)).
+  systemd.services.cgit = {
+    wantedBy = [ "multi-user.target" ];
+    script = "${pkgs.web.cgit-taz}/bin/cgit-launch";
+
+    serviceConfig = {
+      Restart = "on-failure";
+      User = "git";
+      Group = "git";
+    };
+  };
+
   # serve my website
   services.nginx = {
     enable = true;