tvl-depot/ops/modules/josh.nix
Florian Klink e9686f84d9 fix(views/kit): communicate :unsign in the tvl-kit URL directly
Instead of prepending :unsign to all URLs in josh-proxy, and for all
calls to filteredGitPush, explicitly use it only in the filter we use
for the `export-kit` extraStep.

This means, people cloning tvl-kit via

> https://code.tvl.fyi/depot.git:workspace=views/kit.git

now need to update the URL to point to

> https://code.tvl.fyi/depot.git:unsign:workspace=views/kit.git

instead.

git@github.com:tvlfyi/kit.git will keep the same hashes, as it's updated
to export the unsigned workspace view of it.

This is less invasive than dooming every josh workspace to have to strip
signatures.

Change-Id: I6de05182fad4c3695081388c3bbf37306521d255
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8369
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-03-31 08:46:01 +00:00

33 lines
931 B
Nix

# Configures the public josh instance for serving the depot.
{ config, depot, lib, pkgs, ... }:
let
cfg = config.services.depot.josh;
in
{
options.services.depot.josh = with lib; {
enable = mkEnableOption "Enable josh for serving the depot";
port = mkOption {
description = "Port on which josh should listen";
type = types.int;
default = 5674;
};
};
config = lib.mkIf cfg.enable {
# Run josh for the depot.
systemd.services.josh = {
description = "josh - partial cloning of monorepos";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.git pkgs.bash ];
serviceConfig = {
DynamicUser = true;
StateDirectory = "josh";
Restart = "always";
ExecStart = "${depot.third_party.josh}/bin/josh-proxy --no-background --local /var/lib/josh --port ${toString cfg.port} --remote https://cl.tvl.fyi/ --require-auth";
};
};
};
}