summaryrefslogtreecommitdiffstats
path: root/2configs
diff options
context:
space:
mode:
Diffstat (limited to '2configs')
-rw-r--r--2configs/tv/consul-server.nix1
-rw-r--r--2configs/tv/exim-retiolum.nix4
-rw-r--r--2configs/tv/git.nix (renamed from 2configs/tv/git-public.nix)43
-rw-r--r--2configs/tv/identity.nix3
4 files changed, 31 insertions, 20 deletions
diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix
index 1c8dcb884..5d3fd5579 100644
--- a/2configs/tv/consul-server.nix
+++ b/2configs/tv/consul-server.nix
@@ -1,7 +1,6 @@
{ config, ... }:
{
- imports = [ ../../3modules/tv/consul.nix ];
tv.consul = rec {
enable = true;
diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix
index efab5cf32..851a0c625 100644
--- a/2configs/tv/exim-retiolum.nix
+++ b/2configs/tv/exim-retiolum.nix
@@ -4,9 +4,9 @@
services.exim =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
- assert config.tv.retiolum.enable;
+ assert config.krebs.retiolum.enable;
let
- # TODO get the hostname from config.tv.retiolum.
+ # TODO get the hostname from config.krebs.retiolum.
retiolumHostname = "${config.networking.hostName}.retiolum";
in
{ enable = true;
diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix
index 7f2b51308..b7f9983a1 100644
--- a/2configs/tv/git-public.nix
+++ b/2configs/tv/git.nix
@@ -1,18 +1,22 @@
{ config, lib, pkgs, ... }:
+
with import ../../4lib/tv { inherit lib pkgs; };
let
out = {
- imports = [ ../../3modules/krebs/git.nix ];
krebs.git = {
enable = true;
root-title = "public repositories at ${config.tv.identity.self.name}";
root-desc = "keep calm and engage";
- inherit repos rules users;
+ inherit repos rules;
};
};
- repos = public-repos;
+ repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
+ public-repos //
+ optionalAttrs config.tv.identity.self.secure restricted-repos
+ );
+
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
@@ -37,13 +41,14 @@ let
xintmap = {};
};
- # TODO move users to separate module
- users = mapAttrs make-user {
- tv = ../../Zpubkeys/tv_wu.ssh.pub;
- lass = ../../Zpubkeys/lass.ssh.pub;
- uriel = ../../Zpubkeys/uriel.ssh.pub;
- makefu = ../../Zpubkeys/makefu.ssh.pub;
- };
+ restricted-repos = mapAttrs make-restricted-repo (
+ {
+ brain = {
+ collaborators = with config.krebs.users; [ lass makefu ];
+ };
+ } //
+ import /root/src/secrets/repos.nix { inherit config lib pkgs; }
+ );
make-public-repo = name: { desc ? null, ... }: {
inherit name desc;
@@ -58,8 +63,14 @@ let
};
};
+ make-restricted-repo = name: { desc ? null, ... }: {
+ inherit name desc;
+ public = false;
+ hooks = {}; # TODO default
+ };
+
make-rules =
- with git // users;
+ with git // config.krebs.users;
repo:
singleton {
user = tv;
@@ -70,11 +81,11 @@ let
user = [ lass makefu uriel ];
repo = [ repo ];
perm = fetch;
+ } ++
+ optional (length (repo.collaborators or []) > 0) {
+ user = repo.collaborators;
+ repo = [ repo ];
+ perm = fetch;
};
- make-user = name: pubkey-file: {
- inherit name;
- pubkey = readFile pubkey-file;
- };
-
in out
diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix
index 44208c956..379d02e45 100644
--- a/2configs/tv/identity.nix
+++ b/2configs/tv/identity.nix
@@ -1,7 +1,6 @@
{ config, ... }:
{
- imports = [ ../../3modules/tv/identity.nix ];
tv.identity = {
enable = true;
search = "retiolum";
@@ -99,6 +98,7 @@
'';
};
};
+ secure = true;
};
rmdir = {
cores = 1;
@@ -154,6 +154,7 @@
'';
};
};
+ secure = true;
};
};
};