diff options
Diffstat (limited to '2configs')
-rw-r--r-- | 2configs/tv/consul-server.nix | 1 | ||||
-rw-r--r-- | 2configs/tv/exim-retiolum.nix | 4 | ||||
-rw-r--r-- | 2configs/tv/git.nix (renamed from 2configs/tv/git-public.nix) | 43 | ||||
-rw-r--r-- | 2configs/tv/identity.nix | 3 |
4 files changed, 31 insertions, 20 deletions
diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 1c8dcb884..5d3fd5579 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/consul.nix ]; tv.consul = rec { enable = true; diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix index efab5cf32..851a0c625 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/2configs/tv/exim-retiolum.nix @@ -4,9 +4,9 @@ services.exim = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.tv.retiolum.enable; + assert config.krebs.retiolum.enable; let - # TODO get the hostname from config.tv.retiolum. + # TODO get the hostname from config.krebs.retiolum. retiolumHostname = "${config.networking.hostName}.retiolum"; in { enable = true; diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix index 7f2b51308..b7f9983a1 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git.nix @@ -1,18 +1,22 @@ { config, lib, pkgs, ... }: + with import ../../4lib/tv { inherit lib pkgs; }; let out = { - imports = [ ../../3modules/krebs/git.nix ]; krebs.git = { enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; root-desc = "keep calm and engage"; - inherit repos rules users; + inherit repos rules; }; }; - repos = public-repos; + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.tv.identity.self.secure restricted-repos + ); + rules = concatMap make-rules (attrValues repos); public-repos = mapAttrs make-public-repo { @@ -37,13 +41,14 @@ let xintmap = {}; }; - # TODO move users to separate module - users = mapAttrs make-user { - tv = ../../Zpubkeys/tv_wu.ssh.pub; - lass = ../../Zpubkeys/lass.ssh.pub; - uriel = ../../Zpubkeys/uriel.ssh.pub; - makefu = ../../Zpubkeys/makefu.ssh.pub; - }; + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ lass makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); make-public-repo = name: { desc ? null, ... }: { inherit name desc; @@ -58,8 +63,14 @@ let }; }; + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + hooks = {}; # TODO default + }; + make-rules = - with git // users; + with git // config.krebs.users; repo: singleton { user = tv; @@ -70,11 +81,11 @@ let user = [ lass makefu uriel ]; repo = [ repo ]; perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; }; - make-user = name: pubkey-file: { - inherit name; - pubkey = readFile pubkey-file; - }; - in out diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index 44208c956..379d02e45 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { enable = true; search = "retiolum"; @@ -99,6 +98,7 @@ ''; }; }; + secure = true; }; rmdir = { cores = 1; @@ -154,6 +154,7 @@ ''; }; }; + secure = true; }; }; }; |