Git for version control of the NixOS config "dubious ownership"

Hello, how can I use git for version control of my nixOS config? My git does not like it that /etc/nixos is owned by root, and refuses to do anything.

$ git status fatal: detected dubious ownership in repository at '/etc/nixos' To add an exception for this directory, call: 
     git config --global --add safe.directory /etc/nixos

(obviously the suggested fix here does not work because the git configuration is read only)

Here is my git config in home manager

  programs.git = {
    enable = true;
    settings.user = {
      name = "mcfish";
      email = "noemail@example.com";
      init.defaultBranch = "main";
      safe.directory = ["/etc/nixos"];
        
    };
  };

I thought the safe.directory would fix it but it did not work.
I would also prefer to for root the ownership of /etc/nixos because it seems more secure to me.

Well, the obvious solution would be to not have it owned by root, but your user instead, many of us even have the config at a different location in their home.

Hm I dont reccomend what you are trying to do but git suggesting something thats not working is suboptimal

why do you recommend against it?

1. There was a CVE in git that allowed for privilge escalation and impersonation, if the contents of the .git was owned by someone else. This critical error and setting exist as a first barrier, and even though the CVE is considered “fixed”, there is no guarantee that another attack based on similar principles can exist.
2. Dealing with repos that you do not own yourself, might either result in “no permission” errors when trying to write files actually owned by the other user, eventually getting the repo into an inconsistent and irrepairable state.

I was not aware of that, thanks for the heads up! You convinced me.

The reason I wanted the configuration to be owned by root is that installing software seems like a thing only root should do and should require a to enter in my password. If the config is just in my home directory it’s integrity is less protected.
Of course sudo nixos-rebuild switch requires root but still, noticing that the configuration changed is difficult in my opinion.

Am I overthinking this?

If you want your configuration owned by root, then you don’t use home manager to configure git either. You’ll have to configure git for your root user separately (or imperatively configure that repo) and always edit with root, do all operations on the repo as root.

Yes this is what I was envisioning. Would that be security risk in some way similar to what @NobbZ described?

You’re already executing git as root. Trying to impersonate root when you’re already root is pretty pointless; you’re already root.

The CVE that nobbz is referring to is when the repo is owned by one user and you run git with another. If everything is run as root then there’s no issue, other than inconvenience.

Though when interacting with the repo as root, then the critical error wouldn’t appear. So they were very likely using the user to access or interact with the repo.

Yeah, but this particular question is about whether just accepting that you have to be root to edit /etc/nixos bears any risks (presumably besides having to run editors and whatnot as root).

I use sudoedit instead of running an editor as root, which mitigates that risk from what I understand.
To clarify, I meant to ask weather running git specifically as root bears any risks or is a bad idea.

you need to move safe.directory (and init.defaultBranch) out of programs.git.settings.user to programs.git.settings like so

programs.git = {
  enable = true;
  settings = {
    user = {
      name = "mcfish";
      email = "noemail@example.com";
    };
    init.defaultBranch = "main";
    safe.directory = [ "/etc/nixos" ];
  };
};

Hope this helps.

safe.directory is unnecessary here.