tv git: add restricted repos

1systems/tv/cd.nix

@@ -13,7 +13,7 @@ in
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-smarthost.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/charybdis.nix ];
       tv.charybdis = {

1systems/tv/mkdir.nix

@@ -9,7 +9,7 @@ with lib;
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-smarthost.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/identity.nix ];
       tv.identity.self = config.tv.identity.hosts.mkdir;

1systems/tv/nomic.nix

@@ -8,7 +8,7 @@ with lib;
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-retiolum.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/identity.nix ];
       tv.identity.self = config.tv.identity.hosts.nomic;

1systems/tv/rmdir.nix

@@ -9,7 +9,7 @@ with lib;
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-server.nix
     ../../2configs/tv/exim-smarthost.nix
-    ../../2configs/tv/git-public.nix
+    ../../2configs/tv/git.nix
     {
       imports = [ ../../2configs/tv/identity.nix ];
       tv.identity.self = config.tv.identity.hosts.rmdir;

1systems/tv/wu.nix

@@ -12,8 +12,7 @@ in
     ../../2configs/tv/base.nix
     ../../2configs/tv/consul-client.nix
     ../../2configs/tv/exim-retiolum.nix
-    ../../2configs/tv/git-public.nix
-    # TODO git-private.nix
+    ../../2configs/tv/git.nix
     ../../2configs/tv/mail-client.nix
     ../../2configs/tv/xserver.nix
     ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled

2configs/tv/git.nix

@@ -11,7 +11,11 @@ let
     };
   };
 
-  repos = public-repos;
+  repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
+    public-repos //
+    optionalAttrs config.tv.identity.self.secure restricted-repos
+  );
+
   rules = concatMap make-rules (attrValues repos);
 
   public-repos = mapAttrs make-public-repo {
@@ -36,6 +40,15 @@ let
     xintmap = {};
   };
 
+  restricted-repos = mapAttrs make-restricted-repo (
+    {
+      brain = {
+        collaborators = with users; [ lass makefu ];
+      };
+    } //
+    import /root/src/secrets/repos.nix { inherit config lib pkgs users; }
+  );
+
   # TODO move users to separate module
   users = mapAttrs make-user {
     tv = ../../Zpubkeys/tv_wu.ssh.pub;
@@ -57,6 +70,12 @@ let
     };
   };
 
+  make-restricted-repo = name: { desc ? null, ... }: {
+    inherit name desc;
+    public = false;
+    hooks = {}; # TODO default
+  };
+
   make-rules =
     with git // users;
     repo:
@@ -69,6 +88,11 @@ let
         user = [ lass makefu uriel ];
         repo = [ repo ];
         perm = fetch;
+      } ++
+      optional (length (repo.collaborators or []) > 0) {
+        user = repo.collaborators;
+        repo = [ repo ];
+        perm = fetch;
       };
 
   make-user = name: pubkey-file: {