about summary refs log tree commit diff
path: root/default.nix
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-08-26T17·00+0300
committertazjin <mail@tazj.in>2021-08-26T20·39+0000
commite1f83cc08615ca011fc4a177e831efd1dd49e687 (patch)
tree26a24e358a01ff30a8265df74d6414dc35942176 /default.nix
parent8b851956ad3adab52c0740d6d9353d3900613fe3 (diff)
feat(depot): Disallow access to //users from outside of it r/2793
Code under this depot path is essentially unstable and potentially
unreviewed - this is a good thing (people can play around with cursed
stuff all they want), but we should not make the rest of the
repository depend on any of it.

Any cursed things that are required outside of users can be moved to a
different depot path if people agree with that.

Change-Id: I46a34a0e9662069c01b43d9a653e5545e325e587
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3434
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
Diffstat (limited to 'default.nix')
-rw-r--r--default.nix45
1 files changed, 44 insertions, 1 deletions
diff --git a/default.nix b/default.nix
index d8b9b08b6979..04bf9ace8f73 100644
--- a/default.nix
+++ b/default.nix
@@ -8,13 +8,56 @@ let
   inherit (builtins)
     attrValues
     concatMap
+    elem
+    elemAt
     filter
     ;
 
   # This definition of fix is identical to <nixpkgs>.lib.fix, but the global
   # package set is not available here.
   fix = f: let x = f x; in x;
-  readTree' = import ./nix/readTree {};
+
+  # readTree argument filter to generally disallow access to //users
+  # from other depot parts. Exceptions can be added for specific
+  # (full) paths.
+  depotArgsFilter = args: parts:
+    if (elemAt parts 0) == "users" || elem parts [
+      # whitby is allowed to access //users for two reasons:
+      #
+      # 1. Users host their SSH key sets in //users.
+      # 2. tazjin's website is currently hosted on whitby because
+      #    camden is in storage.
+      #
+      # Due to evaluation order this also affects //ops/nixos.nix.
+      [ "ops" "machines" "whitby" ]
+
+      # TODO(tazjin): Can this one be removed somehow?
+      [ "ops" "nixos" ]
+
+      # //web/bubblegum has examples using //users/sterni, they should
+      # probably be in the user folder instead with a link there.
+      # TODO(sterni): Clean this up.
+      [ "web" "bubblegum" ]
+    ]
+    then args
+    else args // {
+      depot = args.depot // {
+        users = throw ''
+          Access to items from the //users folder is not permitted from
+          other depot paths. Code under //users is not considered stable
+          or dependable in the wider depot context.
+
+          If a project under //users is required by something else,
+          please move it to a different depot path.
+
+          At location: [ ${toString parts} ]
+        '';
+      };
+    };
+
+    readTree' = import ./nix/readTree {
+      argsFilter = depotArgsFilter;
+    };
 
   # To determine build targets, we walk through the depot tree and
   # fetch attributes that were imported by readTree and are buildable.