mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/default.nix
Vincent Ambo d295ba2a4e chore(depot): Restrict access to targets from //corp 
This folder is used for some TVL corp stuff, like the website and
maybe some documents and future projects, that are not under the same
license as the rest of depot.

To avoid accidental licensing issues, access to it is restricted to
other stuff within //corp.

In general, TVL corp projects *should* also be free software and live
outside of //corp - the folder is primarily intended for stuff that is
relevant to the company operations (also for the sake of
transparency).

Change-Id: I15e7e72e82d8ac1c875899f16becd731f64f6b3a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3875
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
2021-11-15 13:28:42 +00:00

160 lines
5.2 KiB
Nix
Raw Blame History

# This file sets up the top-level package set by traversing the package tree
# (see //nix/readTree for details) and constructing a matching attribute set
# tree.
{ nixpkgsBisectPath ? null, ... }@args:
let
inherit (builtins)
attrValues
concatMap
elem
elemAt
filter
;
# This definition of fix is identical to <nixpkgs>.lib.fix, but the global
# package set is not available here.
fix = f: let x = f x; in x;
# Create a readTree filter disallowing access to the specified
# top-level folder in other parts of the depot, except for specific
# exceptions specified by their (full) paths.
restrictFolder = { folder, exceptions ? [], reason }: parts: args:
if (elemAt parts 0) == folder || elem parts exceptions
then args
else args // {
depot = args.depot // {
"${folder}" = throw ''
Access to targets under //${folder} is not permitted from
other depot paths. Specific exceptions are configured at the
top-level.
${reason}
At location: //${builtins.concatStringsSep "/" parts}
'';
};
};
# Disallow access to //users from other depot parts.
usersFilter = restrictFolder {
folder = "users";
reason = ''
Code under //users is not considered stable or dependable in the
wider depot context. If a project under //users is required by
something else, please move it to a different depot path.
'';
exceptions = [
# whitby is allowed to access //users for several reasons:
#
# 1. User SSH keys are set in //users.
# 2. Some personal websites or demo projects are served from it.
[ "ops" "machines" "whitby" ]
# Due to evaluation order this also affects these targets.
# TODO(tazjin): Can this one be removed somehow?
[ "ops" "nixos" ]
[ "ops" "machines" "all-systems" ]
];
};
# Disallow access to //corp from other depot parts.
corpFilter = restrictFolder {
folder = "corp";
reason = ''
Code under //corp may use incompatible licensing terms with
other depot parts and should not be used anywhere else.
'';
exceptions = [
# For the same reason as above, whitby is exempt to serve the
# corp website.
[ "ops" "machines" "whitby" ]
[ "ops" "nixos" ]
[ "ops" "machines" "all-systems" ]
];
};
readDepot = depotArgs: import ./nix/readTree {} {
args = depotArgs;
path = ./.;
filter = parts: args: corpFilter parts (usersFilter parts args);
scopedArgs = {
__findFile = _: _: throw "Do not import from NIX_PATH in the depot!";
};
};
# To determine build targets, we walk through the depot tree and
# fetch attributes that were imported by readTree and are buildable.
#
# Any build target that contains `meta.ci = false` will be skipped.
# Is this tree node eligible for build inclusion?
eligible = node: (node ? outPath) && (node.meta.ci or true);
# Walk the tree starting with 'node', recursively extending the list
# of build targets with anything that looks buildable.
#
# Any tree node can specify logical targets by exporting a
# 'meta.targets' attribute containing a list of keys in itself. This
# enables target specifications that do not exist on disk directly.
gather = node:
if node ? __readTree then
# Include the node itself if it is eligible.
(if eligible node then [ node ] else [])
# Include eligible children of the node
++ concatMap gather (map (attr: node."${attr}") node.__readTreeChildren)
# Include specified sub-targets of the node
++ filter eligible (map
(k: (node."${k}" or {}) // {
# Keep the same tree location, but explicitly mark this
# node as a subtarget.
__readTree = node.__readTree;
__readTreeChildren = [];
__subtarget = k;
})
(node.meta.targets or []))
else [];
in fix(self: (readDepot {
depot = self;
# Pass third_party as 'pkgs' (for compatibility with external
# imports for certain subdirectories)
pkgs = self.third_party.nixpkgs;
# Expose lib attribute to packages.
lib = self.third_party.nixpkgs.lib;
# Pass arguments passed to the entire depot through, for packages
# that would like to add functionality based on this.
#
# Note that it is intended for exceptional circumstance, such as
# debugging by bisecting nixpkgs.
externalArgs = args;
}) // {
# Make the path to the depot available for things that might need it
# (e.g. NixOS module inclusions)
path = self.third_party.nixpkgs.lib.cleanSource ./.;
# List of all buildable targets, for CI purposes.
#
# Note: To prevent infinite recursion, this *must* be a nested
# attribute set (which does not have a __readTree attribute).
ci.targets = gather (self // {
# remove the pipelines themselves from the set over which to
# generate pipelines because that also leads to infinite
# recursion.
ops = self.ops // { pipelines = null; };
# remove nixpkgs from the set, for obvious reasons.
third_party = self.third_party // { nixpkgs = null; };
});
# Derivation that gcroots all depot targets.
ci.gcroot = self.third_party.nixpkgs.symlinkJoin {
name = "depot-gcroot";
paths = self.ci.targets;
};
})
Reference in a new issue View git blame Copy permalink