Skip to main content

max / makenotwork

Update mnw-cli docs for git auto-create delegation Document the new auto-create flow in architecture.md and record the fix in todo.md with implementation details. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Author: Max J. <87768334+MaxJMath@users.noreply.github.com> · 2026-05-03 00:44 UTC
Commit: a8bf638fe043beb5fbacea9575e7839d2d7bcc6f
Parent: 654cb2d
2 files changed, +15 insertions, -5 deletions
M mnw-cli/docs/architecture.md +7 -3
@@ -112,12 +112,16 @@ SSH subsystem "sftp" -> russh-sftp handler
112 112
113 113 ### Git proxy
114 114 ```
115 - SSH exec "git-upload-pack repo.git" -> parse command
116 - -> lookup repo via API (verify user access)
117 - -> spawn git subprocess with sudo as GIT_SUDO_USER
115 + SSH exec "git-receive-pack repo.git" -> parse command
116 + -> POST /api/internal/git/authorize (verify access, auto-register new repos in DB)
117 + -> if repo path doesn't exist on disk: git init --bare --shared=group (direct, no sudo)
118 + -> install post-receive hook if BUILD_TRIGGER_TOKEN set
119 + -> spawn git subprocess with sudo -u GIT_SUDO_USER
118 120 -> wire subprocess stdin/stdout to SSH channel
119 121 ```
120 122
123 + Repo auto-create runs as the mnw-cli user (in the git group). Parent dirs have setgid, so new repos inherit git group ownership. `--shared=group` makes repos group-writable so the git user can write via git-receive-pack. The server only handles DB registration — all filesystem operations happen in mnw-cli.
124 +
121 125 ## Key Dependencies
122 126
123 127 | Crate | Role |
M mnw-cli/docs/todo.md +8 -2
@@ -1,7 +1,7 @@
1 1 # mnw-cli TODO
2 2
3 3 ## Status
4 - Done: Phases 1-8, Git proxy A-C. Active: None. Next: Deploy.
4 + Done: Phases 1-8, Git proxy A-D (except D5). Active: None. Next: D5 DNS, PoM health check.
5 5
6 6 ---
7 7
@@ -9,7 +9,7 @@ Done: Phases 1-8, Git proxy A-C. Active: None. Next: Deploy.
9 9
10 10 - [x] D1: Move sshd to port 2200, `ListenAddress 100.120.174.96` (Tailscale only) — done 2026-04-22
11 11 - [x] D2: Update mnw-cli .env (`SSH_PORT=22`, `GIT_SUDO_USER=git`) — done 2026-04-22
12 - - [x] D3: Sudoers rule (`/etc/sudoers.d/mnw-cli-git` — git-upload-pack, git-receive-pack, git-upload-archive) — done 2026-04-22
12 + - [x] D3: Sudoers rule (`/etc/sudoers.d/mnw-cli-git` — git-upload-pack, git-receive-pack, git-upload-archive, git, tee, chmod) — done 2026-04-22, extended 2026-05-03
13 13 - [x] D4: Firewall — removed 2222/tcp, added 2200/tcp — done 2026-04-22
14 14 - [ ] D5: DNS — `cli.makenot.work` A record -> `5.78.144.244`, proxy OFF (needs Cloudflare dashboard)
15 15 - [x] D6: Restart sequence verified — admin SSH on 2200, mnw-cli on 22, both running — done 2026-04-22
@@ -20,6 +20,12 @@ Done: Phases 1-8, Git proxy A-C. Active: None. Next: Deploy.
20 20 - [x] Verified: SSH auth, TUI launch, git ls-remote, git clone all working — 2026-04-22
21 21 - [x] Fixed: NoNewPrivileges blocking sudo for git ops — 2026-04-22
22 22 - [x] Fixed: Tailscale SSH intercepting port 22 — disabled on hetzner — 2026-04-22
23 + - [x] Fixed: Git repo auto-create on first push — 2026-05-03
24 + - Repo creation delegated from server to mnw-cli (server only registers in DB)
25 + - mnw-cli runs `git init --bare --shared=group` directly (in git group, setgid parent dir)
26 + - `safe.directory=*` set for git service user
27 + - Post-receive hook installed by mnw-cli after init
28 + - Sudoers extended with git, tee, chmod
23 29 - [ ] Add PoM health check for mnw-cli (port 22 SSH banner check)
24 30
25 31 ## Remaining Features (from design doc)