tv git: add restricted repos
This commit is contained in:
parent
f4309272e2
commit
54becaa19f
@ -13,7 +13,7 @@ in
|
|||||||
../../2configs/tv/base.nix
|
../../2configs/tv/base.nix
|
||||||
../../2configs/tv/consul-server.nix
|
../../2configs/tv/consul-server.nix
|
||||||
../../2configs/tv/exim-smarthost.nix
|
../../2configs/tv/exim-smarthost.nix
|
||||||
../../2configs/tv/git-public.nix
|
../../2configs/tv/git.nix
|
||||||
{
|
{
|
||||||
imports = [ ../../2configs/tv/charybdis.nix ];
|
imports = [ ../../2configs/tv/charybdis.nix ];
|
||||||
tv.charybdis = {
|
tv.charybdis = {
|
||||||
|
@ -9,7 +9,7 @@ with lib;
|
|||||||
../../2configs/tv/base.nix
|
../../2configs/tv/base.nix
|
||||||
../../2configs/tv/consul-server.nix
|
../../2configs/tv/consul-server.nix
|
||||||
../../2configs/tv/exim-smarthost.nix
|
../../2configs/tv/exim-smarthost.nix
|
||||||
../../2configs/tv/git-public.nix
|
../../2configs/tv/git.nix
|
||||||
{
|
{
|
||||||
imports = [ ../../2configs/tv/identity.nix ];
|
imports = [ ../../2configs/tv/identity.nix ];
|
||||||
tv.identity.self = config.tv.identity.hosts.mkdir;
|
tv.identity.self = config.tv.identity.hosts.mkdir;
|
||||||
|
@ -8,7 +8,7 @@ with lib;
|
|||||||
../../2configs/tv/base.nix
|
../../2configs/tv/base.nix
|
||||||
../../2configs/tv/consul-server.nix
|
../../2configs/tv/consul-server.nix
|
||||||
../../2configs/tv/exim-retiolum.nix
|
../../2configs/tv/exim-retiolum.nix
|
||||||
../../2configs/tv/git-public.nix
|
../../2configs/tv/git.nix
|
||||||
{
|
{
|
||||||
imports = [ ../../2configs/tv/identity.nix ];
|
imports = [ ../../2configs/tv/identity.nix ];
|
||||||
tv.identity.self = config.tv.identity.hosts.nomic;
|
tv.identity.self = config.tv.identity.hosts.nomic;
|
||||||
|
@ -9,7 +9,7 @@ with lib;
|
|||||||
../../2configs/tv/base.nix
|
../../2configs/tv/base.nix
|
||||||
../../2configs/tv/consul-server.nix
|
../../2configs/tv/consul-server.nix
|
||||||
../../2configs/tv/exim-smarthost.nix
|
../../2configs/tv/exim-smarthost.nix
|
||||||
../../2configs/tv/git-public.nix
|
../../2configs/tv/git.nix
|
||||||
{
|
{
|
||||||
imports = [ ../../2configs/tv/identity.nix ];
|
imports = [ ../../2configs/tv/identity.nix ];
|
||||||
tv.identity.self = config.tv.identity.hosts.rmdir;
|
tv.identity.self = config.tv.identity.hosts.rmdir;
|
||||||
|
@ -12,8 +12,7 @@ in
|
|||||||
../../2configs/tv/base.nix
|
../../2configs/tv/base.nix
|
||||||
../../2configs/tv/consul-client.nix
|
../../2configs/tv/consul-client.nix
|
||||||
../../2configs/tv/exim-retiolum.nix
|
../../2configs/tv/exim-retiolum.nix
|
||||||
../../2configs/tv/git-public.nix
|
../../2configs/tv/git.nix
|
||||||
# TODO git-private.nix
|
|
||||||
../../2configs/tv/mail-client.nix
|
../../2configs/tv/mail-client.nix
|
||||||
../../2configs/tv/xserver.nix
|
../../2configs/tv/xserver.nix
|
||||||
../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
|
../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
|
||||||
|
@ -11,7 +11,11 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
repos = public-repos;
|
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
|
||||||
|
public-repos //
|
||||||
|
optionalAttrs config.tv.identity.self.secure restricted-repos
|
||||||
|
);
|
||||||
|
|
||||||
rules = concatMap make-rules (attrValues repos);
|
rules = concatMap make-rules (attrValues repos);
|
||||||
|
|
||||||
public-repos = mapAttrs make-public-repo {
|
public-repos = mapAttrs make-public-repo {
|
||||||
@ -36,6 +40,15 @@ let
|
|||||||
xintmap = {};
|
xintmap = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
restricted-repos = mapAttrs make-restricted-repo (
|
||||||
|
{
|
||||||
|
brain = {
|
||||||
|
collaborators = with users; [ lass makefu ];
|
||||||
|
};
|
||||||
|
} //
|
||||||
|
import /root/src/secrets/repos.nix { inherit config lib pkgs users; }
|
||||||
|
);
|
||||||
|
|
||||||
# TODO move users to separate module
|
# TODO move users to separate module
|
||||||
users = mapAttrs make-user {
|
users = mapAttrs make-user {
|
||||||
tv = ../../Zpubkeys/tv_wu.ssh.pub;
|
tv = ../../Zpubkeys/tv_wu.ssh.pub;
|
||||||
@ -57,6 +70,12 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
make-restricted-repo = name: { desc ? null, ... }: {
|
||||||
|
inherit name desc;
|
||||||
|
public = false;
|
||||||
|
hooks = {}; # TODO default
|
||||||
|
};
|
||||||
|
|
||||||
make-rules =
|
make-rules =
|
||||||
with git // users;
|
with git // users;
|
||||||
repo:
|
repo:
|
||||||
@ -69,6 +88,11 @@ let
|
|||||||
user = [ lass makefu uriel ];
|
user = [ lass makefu uriel ];
|
||||||
repo = [ repo ];
|
repo = [ repo ];
|
||||||
perm = fetch;
|
perm = fetch;
|
||||||
|
} ++
|
||||||
|
optional (length (repo.collaborators or []) > 0) {
|
||||||
|
user = repo.collaborators;
|
||||||
|
repo = [ repo ];
|
||||||
|
perm = fetch;
|
||||||
};
|
};
|
||||||
|
|
||||||
make-user = name: pubkey-file: {
|
make-user = name: pubkey-file: {
|
Loading…
Reference in New Issue
Block a user