From 54becaa19fcbc11ac709ddaf86e56ee3b736931d Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 24 Jul 2015 19:33:20 +0200
Subject: tv git: add restricted repos

---
 2configs/tv/git-public.nix |  79 ----------------------------------
 2configs/tv/git.nix        | 103 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+), 79 deletions(-)
 delete mode 100644 2configs/tv/git-public.nix
 create mode 100644 2configs/tv/git.nix

(limited to '2configs/tv')

diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix
deleted file mode 100644
index 1bf44e0fc..000000000
--- a/2configs/tv/git-public.nix
+++ /dev/null
@@ -1,79 +0,0 @@
-{ config, lib, pkgs, ... }:
-with import ../../4lib/tv { inherit lib pkgs; };
-let
-
-  out = {
-    krebs.git = {
-      enable = true;
-      root-title = "public repositories at ${config.tv.identity.self.name}";
-      root-desc = "keep calm and engage";
-      inherit repos rules users;
-    };
-  };
-
-  repos = public-repos;
-  rules = concatMap make-rules (attrValues repos);
-
-  public-repos = mapAttrs make-public-repo {
-    cgserver = {};
-    crude-mail-setup = {};
-    dot-xmonad = {};
-    hack = {};
-    load-env = {};
-    make-snapshot = {};
-    mime = {};
-    much = {};
-    nixos-infest = {};
-    nixpkgs = {};
-    painload = {};
-    quipper = {};
-    regfish = {};
-    stockholm = {
-      desc = "take all the computers hostage, they'll love you!";
-    };
-    wai-middleware-time = {};
-    web-routes-wai-custom = {};
-    xintmap = {};
-  };
-
-  # TODO move users to separate module
-  users = mapAttrs make-user {
-    tv = ../../Zpubkeys/tv_wu.ssh.pub;
-    lass = ../../Zpubkeys/lass.ssh.pub;
-    uriel = ../../Zpubkeys/uriel.ssh.pub;
-    makefu = ../../Zpubkeys/makefu.ssh.pub;
-  };
-
-  make-public-repo = name: { desc ? null, ... }: {
-    inherit name desc;
-    public = true;
-    hooks = {
-      post-receive = git.irc-announce {
-        # TODO make nick = config.tv.identity.self.name the default
-        nick = config.tv.identity.self.name;
-        channel = "#retiolum";
-        server = "cd.retiolum";
-      };
-    };
-  };
-
-  make-rules =
-    with git // users;
-    repo:
-      singleton {
-        user = tv;
-        repo = [ repo ];
-        perm = push "refs/*" [ non-fast-forward create delete merge ];
-      } ++
-      optional repo.public {
-        user = [ lass makefu uriel ];
-        repo = [ repo ];
-        perm = fetch;
-      };
-
-  make-user = name: pubkey-file: {
-    inherit name;
-    pubkey = readFile pubkey-file;
-  };
-
-in out
diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix
new file mode 100644
index 000000000..ac1c413c4
--- /dev/null
+++ b/2configs/tv/git.nix
@@ -0,0 +1,103 @@
+{ config, lib, pkgs, ... }:
+with import ../../4lib/tv { inherit lib pkgs; };
+let
+
+  out = {
+    krebs.git = {
+      enable = true;
+      root-title = "public repositories at ${config.tv.identity.self.name}";
+      root-desc = "keep calm and engage";
+      inherit repos rules users;
+    };
+  };
+
+  repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
+    public-repos //
+    optionalAttrs config.tv.identity.self.secure restricted-repos
+  );
+
+  rules = concatMap make-rules (attrValues repos);
+
+  public-repos = mapAttrs make-public-repo {
+    cgserver = {};
+    crude-mail-setup = {};
+    dot-xmonad = {};
+    hack = {};
+    load-env = {};
+    make-snapshot = {};
+    mime = {};
+    much = {};
+    nixos-infest = {};
+    nixpkgs = {};
+    painload = {};
+    quipper = {};
+    regfish = {};
+    stockholm = {
+      desc = "take all the computers hostage, they'll love you!";
+    };
+    wai-middleware-time = {};
+    web-routes-wai-custom = {};
+    xintmap = {};
+  };
+
+  restricted-repos = mapAttrs make-restricted-repo (
+    {
+      brain = {
+        collaborators = with users; [ lass makefu ];
+      };
+    } //
+    import /root/src/secrets/repos.nix { inherit config lib pkgs users; }
+  );
+
+  # TODO move users to separate module
+  users = mapAttrs make-user {
+    tv = ../../Zpubkeys/tv_wu.ssh.pub;
+    lass = ../../Zpubkeys/lass.ssh.pub;
+    uriel = ../../Zpubkeys/uriel.ssh.pub;
+    makefu = ../../Zpubkeys/makefu.ssh.pub;
+  };
+
+  make-public-repo = name: { desc ? null, ... }: {
+    inherit name desc;
+    public = true;
+    hooks = {
+      post-receive = git.irc-announce {
+        # TODO make nick = config.tv.identity.self.name the default
+        nick = config.tv.identity.self.name;
+        channel = "#retiolum";
+        server = "cd.retiolum";
+      };
+    };
+  };
+
+  make-restricted-repo = name: { desc ? null, ... }: {
+    inherit name desc;
+    public = false;
+    hooks = {}; # TODO default
+  };
+
+  make-rules =
+    with git // users;
+    repo:
+      singleton {
+        user = tv;
+        repo = [ repo ];
+        perm = push "refs/*" [ non-fast-forward create delete merge ];
+      } ++
+      optional repo.public {
+        user = [ lass makefu uriel ];
+        repo = [ repo ];
+        perm = fetch;
+      } ++
+      optional (length (repo.collaborators or []) > 0) {
+        user = repo.collaborators;
+        repo = [ repo ];
+        perm = fetch;
+      };
+
+  make-user = name: pubkey-file: {
+    inherit name;
+    pubkey = readFile pubkey-file;
+  };
+
+in out
-- 
cgit v1.2.3

[cgit] Unable to lock slot /tmp/cgit/a3000000.lock: No such file or directory (2)