chore(depot): Restrict access to targets from //corp r/3071

This folder is used for some TVL corp stuff, like the website and
maybe some documents and future projects, that are not under the same
license as the rest of depot.

To avoid accidental licensing issues, access to it is restricted to
other stuff within //corp.

In general, TVL corp projects *should* also be free software and live
outside of //corp - the folder is primarily intended for stuff that is
relevant to the company operations (also for the sake of
transparency).

Change-Id: I15e7e72e82d8ac1c875899f16becd731f64f6b3a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3875
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>

1 files changed, 18 insertions, 1 deletions

diff --git a/default.nix b/default.nix
index fcd83d07ad..2327830850 100644
--- a/default.nix
+++ b/default.nix
@@ -59,10 +59,27 @@ let
     ];
   };
 
+  # Disallow access to //corp from other depot parts.
+  corpFilter = restrictFolder {
+    folder = "corp";
+    reason = ''
+      Code under //corp may use incompatible licensing terms with
+      other depot parts and should not be used anywhere else.
+    '';
+
+    exceptions = [
+      # For the same reason as above, whitby is exempt to serve the
+      # corp website.
+      [ "ops" "machines" "whitby" ]
+      [ "ops" "nixos" ]
+      [ "ops" "machines" "all-systems" ]
+    ];
+  };
+
   readDepot = depotArgs: import ./nix/readTree {} {
     args = depotArgs;
     path = ./.;
-    filter = usersFilter;
+    filter = parts: args: corpFilter parts (usersFilter parts args);
     scopedArgs = {
       __findFile = _: _: throw "Do not import from NIX_PATH in the depot!";
     };