diff options
author | tv <tv@shackspace.de> | 2015-07-24 19:33:20 +0200 |
---|---|---|
committer | tv <tv@shackspace.de> | 2015-07-24 19:33:20 +0200 |
commit | 54becaa19fcbc11ac709ddaf86e56ee3b736931d (patch) | |
tree | 28357f0dd122e02a96424c0707c35cdc2177ca3a | |
parent | f4309272e2531a136a40d2332d1bfecec16d9a91 (diff) |
tv git: add restricted repos
-rw-r--r-- | 1systems/tv/cd.nix | 2 | ||||
-rw-r--r-- | 1systems/tv/mkdir.nix | 2 | ||||
-rw-r--r-- | 1systems/tv/nomic.nix | 2 | ||||
-rw-r--r-- | 1systems/tv/rmdir.nix | 2 | ||||
-rw-r--r-- | 1systems/tv/wu.nix | 3 | ||||
-rw-r--r-- | 2configs/tv/git.nix (renamed from 2configs/tv/git-public.nix) | 26 |
6 files changed, 30 insertions, 7 deletions
diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index b15b1897e..d30e7ed8f 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -13,7 +13,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/charybdis.nix ]; tv.charybdis = { diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 03d0c00f1..3e5fb7286 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -9,7 +9,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.mkdir; diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 367502eed..2d32d9e1f 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -8,7 +8,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.nomic; diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 497354e68..c470086ce 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -9,7 +9,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.rmdir; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 8470a4f23..234b80559 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -12,8 +12,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-client.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - # TODO git-private.nix + ../../2configs/tv/git.nix ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix index 1bf44e0fc..ac1c413c4 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git.nix @@ -11,7 +11,11 @@ let }; }; - repos = public-repos; + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.tv.identity.self.secure restricted-repos + ); + rules = concatMap make-rules (attrValues repos); public-repos = mapAttrs make-public-repo { @@ -36,6 +40,15 @@ let xintmap = {}; }; + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with users; [ lass makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs users; } + ); + # TODO move users to separate module users = mapAttrs make-user { tv = ../../Zpubkeys/tv_wu.ssh.pub; @@ -57,6 +70,12 @@ let }; }; + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + hooks = {}; # TODO default + }; + make-rules = with git // users; repo: @@ -69,6 +88,11 @@ let user = [ lass makefu uriel ]; repo = [ repo ]; perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; }; make-user = name: pubkey-file: { |