Merge remote-tracking branch 'cd/master'

4 files changed, 31 insertions, 20 deletions

diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix
index 1c8dcb88..5d3fd557 100644
--- a/2configs/tv/consul-server.nix
+++ b/2configs/tv/consul-server.nix
@@ -1,7 +1,6 @@
 { config, ... }:
 
 {
-  imports = [ ../../3modules/tv/consul.nix ];
   tv.consul = rec {
     enable = true;
 
diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix
index efab5cf3..851a0c62 100644
--- a/2configs/tv/exim-retiolum.nix
+++ b/2configs/tv/exim-retiolum.nix
@@ -4,9 +4,9 @@
   services.exim =
     # This configuration makes only sense for retiolum-enabled hosts.
     # TODO modular configuration
-    assert config.tv.retiolum.enable;
+    assert config.krebs.retiolum.enable;
     let
-      # TODO get the hostname from config.tv.retiolum.
+      # TODO get the hostname from config.krebs.retiolum.
       retiolumHostname = "${config.networking.hostName}.retiolum";
     in
       { enable = true;
diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix
index 7f2b5130..b7f9983a 100644
--- a/2configs/tv/git-public.nix
+++ b/2configs/tv/git.nix
@@ -1,18 +1,22 @@
 { config, lib, pkgs, ... }:
+
 with import ../../4lib/tv { inherit lib pkgs; };
 let
 
   out = {
-    imports = [ ../../3modules/krebs/git.nix ];
     krebs.git = {
       enable = true;
       root-title = "public repositories at ${config.tv.identity.self.name}";
       root-desc = "keep calm and engage";
-      inherit repos rules users;
+      inherit repos rules;
     };
   };
 
-  repos = public-repos;
+  repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
+    public-repos //
+    optionalAttrs config.tv.identity.self.secure restricted-repos
+  );
+
   rules = concatMap make-rules (attrValues repos);
 
   public-repos = mapAttrs make-public-repo {
@@ -37,13 +41,14 @@ let
     xintmap = {};
   };
 
-  # TODO move users to separate module
-  users = mapAttrs make-user {
-    tv = ../../Zpubkeys/tv_wu.ssh.pub;
-    lass = ../../Zpubkeys/lass.ssh.pub;
-    uriel = ../../Zpubkeys/uriel.ssh.pub;
-    makefu = ../../Zpubkeys/makefu.ssh.pub;
-  };
+  restricted-repos = mapAttrs make-restricted-repo (
+    {
+      brain = {
+        collaborators = with config.krebs.users; [ lass makefu ];
+      };
+    } //
+    import /root/src/secrets/repos.nix { inherit config lib pkgs; }
+  );
 
   make-public-repo = name: { desc ? null, ... }: {
     inherit name desc;
@@ -58,8 +63,14 @@ let
     };
   };
 
+  make-restricted-repo = name: { desc ? null, ... }: {
+    inherit name desc;
+    public = false;
+    hooks = {}; # TODO default
+  };
+
   make-rules =
-    with git // users;
+    with git // config.krebs.users;
     repo:
       singleton {
         user = tv;
@@ -70,11 +81,11 @@ let
         user = [ lass makefu uriel ];
         repo = [ repo ];
         perm = fetch;
+      } ++
+      optional (length (repo.collaborators or []) > 0) {
+        user = repo.collaborators;
+        repo = [ repo ];
+        perm = fetch;
       };
 
-  make-user = name: pubkey-file: {
-    inherit name;
-    pubkey = readFile pubkey-file;
-  };
-
 in out
diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix
index 44208c95..379d02e4 100644
--- a/2configs/tv/identity.nix
+++ b/2configs/tv/identity.nix
@@ -1,7 +1,6 @@
 { config, ... }:
 
 {
-  imports = [ ../../3modules/tv/identity.nix ];
   tv.identity = {
     enable = true;
     search = "retiolum";
@@ -99,6 +98,7 @@
             '';
           };
         };
+        secure = true;
       };
       rmdir = {
         cores = 1;
@@ -154,6 +154,7 @@
             '';
           };
         };
+        secure = true;
       };
     };
   };