diff options
author | tv <tv@krebsco.de> | 2016-02-08 03:23:28 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-02-08 03:35:29 +0100 |
commit | 8e93530796982db49ddeb06201d2f5bb57d51ccc (patch) | |
tree | 0c2982f48ca668cc034f4c10485c6a5b0e841d81 /miefda/2configs/git.nix | |
parent | 7a9f130c1230faf9662000dbd9ba8f06170bf254 (diff) | |
parent | 5856d240888e89dbed141087c9580026f52dff59 (diff) |
Merge remote-tracking branch 'cloudkrebs/master'
Diffstat (limited to 'miefda/2configs/git.nix')
-rw-r--r-- | miefda/2configs/git.nix | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/miefda/2configs/git.nix b/miefda/2configs/git.nix new file mode 100644 index 000000000..fec828f80 --- /dev/null +++ b/miefda/2configs/git.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; + rules = rules; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } + ]; + }; + + repos = + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos; + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + #wai-middleware-time = {}; + #web-routes-wai-custom = {}; + #go = {}; + #newsbot-js = {}; + #kimsufi-check = {}; + #realwallpaper = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import <secrets/repos.nix> { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = pkgs.git-hooks.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + verbose = config.krebs.build.host.name == "bobby"; + }; + }; + }; + + make-restricted-repo = name: { collaborators ? [], desc ? null, ... }: { + inherit name collaborators desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = miefda; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out |