tv git: add restricted repos

1 files changed, 25 insertions, 1 deletions

diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix
index 1bf44e0f..ac1c413c 100644
--- a/2configs/tv/git-public.nix
+++ b/2configs/tv/git.nix
@@ -11,7 +11,11 @@ let
     };
   };
 
-  repos = public-repos;
+  repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
+    public-repos //
+    optionalAttrs config.tv.identity.self.secure restricted-repos
+  );
+
   rules = concatMap make-rules (attrValues repos);
 
   public-repos = mapAttrs make-public-repo {
@@ -36,6 +40,15 @@ let
     xintmap = {};
   };
 
+  restricted-repos = mapAttrs make-restricted-repo (
+    {
+      brain = {
+        collaborators = with users; [ lass makefu ];
+      };
+    } //
+    import /root/src/secrets/repos.nix { inherit config lib pkgs users; }
+  );
+
   # TODO move users to separate module
   users = mapAttrs make-user {
     tv = ../../Zpubkeys/tv_wu.ssh.pub;
@@ -57,6 +70,12 @@ let
     };
   };
 
+  make-restricted-repo = name: { desc ? null, ... }: {
+    inherit name desc;
+    public = false;
+    hooks = {}; # TODO default
+  };
+
   make-rules =
     with git // users;
     repo:
@@ -69,6 +88,11 @@ let
         user = [ lass makefu uriel ];
         repo = [ repo ];
         perm = fetch;
+      } ++
+      optional (length (repo.collaborators or []) > 0) {
+        user = repo.collaborators;
+        repo = [ repo ];
+        perm = fetch;
       };
 
   make-user = name: pubkey-file: {