summary refs log tree commit diff
path: root/fleet/hosts/vityaz/git.nix
blob: 7ef9f9d93a4718b0c6c3e6fafaffd4cde13da2af (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# SPDX-FileCopyrightText: V <v@unfathomable.blue>
# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
# SPDX-License-Identifier: OSL-3.0

{ lib, pkgs, ... }:

with lib;

{
  # TODO(edef): could we somehow make this use DynamicUser?
  users.users.git = {
    isSystemUser = true;

    group = "git";

    home = "/var/lib/git";
    createHome = true;

    useDefaultShell = true;

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFovWcdS0vQAJiEvwjEIUOv7eip52oX7rVOEMQDJkSL6 v@january"
      "cert-authority ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbIBz0zkMCAggWcj1q/MX2j6gq+QGj3F3YXhokOf+6m openpgp:0xAADA9805"
      "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
    ];

    packages = with pkgs; [
      git
    ];
  };

  users.groups.git = {};

  # TODO(V): Enable the reflog?
  declarative.git.repositories = flip genAttrs (repo: {
    hooks.post-receive = [
      # FIXME(V): There are more than a number of issues with this!
      # - non-generic (we could use $GIT_DIR or such)
      # - requires an explicit remote (we could add this to the config)
      # - only updates trunk (even if other branches were pushed)
      # - has no way to filter specific branches from being published
      # - does not synchronize tags
      (pkgs.writeShellScript "sync-repository" ''
        git push trieste:${repo} trunk
      '')
    ];
  }) [
    # TODO(V): Take the list of public repositories from hosts/trieste/git.nix
    # (or do the inverse)
    # (or put this information in a shared location)
    "ripple"
    "ripple-website"
    "nixos-config"

    # Note: private repositories are currently not configured here.
    # If we find it acceptable to leak their names, they could take advantage of this module as well.
  ];

  # TODO(V): Linting hooks (honestly, these should just go in CI)
  # - reuse lint
  # - check there's a (owner) for every TODO, FIXME, XXX, etc
  # - make sure everything has been run through rustfmt

  # TODO(V): An equivalent of Bors ("Tolby"?) for our workflow
  # (or, at least, a queue of commits that must individually pass CI to get merged)

  # TODO(V): Set up CI
}