chore(build): drop URL rewrite layer + remove internal-rewrites doc
GitHub is canonical for aldabra now (per 2026-05-10 architecture call — Gitea is a pull-mirror cache, not a forge we publish to). Build process fetches pallas direct from github.com, no rewrite needed. - Dockerfile: drop the `--mount=type=secret` git_credentials dance + the url.insteadOf rewrite. cargo fetches pallas straight from github.com/Sulkta-Coop/pallas at the locked SHA. No secret needed. - docs/internal-build-rewrites.md: removed. The rewrite was the entire reason for the doc, and the rewrite is gone. Internal builds (Lucy / crafting-table / dev hosts) still hit github.com for pallas, same as external builds. One extra WAN hop per crate, but consistent everywhere and no environment-specific config.
This commit is contained in:
parent
bdbb7e0539
commit
8831774fb6
2 changed files with 1 additions and 84 deletions
15
Dockerfile
15
Dockerfile
|
|
@ -45,20 +45,7 @@ COPY crates ./crates
|
|||
# trick above leaves stale build artifacts otherwise.
|
||||
RUN find crates -name '*.rs' -exec touch {} +
|
||||
|
||||
# Build-time URL rewrite: route the public github/gitlab pallas URLs
|
||||
# (which is what Cargo.toml declares — source-of-truth, portable to
|
||||
# external clones) back to the LAN gitea over HTTP+PAT. This is purely
|
||||
# a fetch-time short-circuit: no LAN URL or credential is baked into
|
||||
# Cargo.lock or the image. The lock file's locked SHA stays identical
|
||||
# whether fetched via github, gitlab, or local gitea.
|
||||
#
|
||||
# Pass `--secret id=git_credentials,src=<file>` where <file> is one
|
||||
# line: http://USER:PAT@gitea.sulkta.lan:3001
|
||||
RUN --mount=type=secret,id=git_credentials,target=/root/.git-credentials,mode=0400,required=true \
|
||||
git config --global credential.helper store && \
|
||||
git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/" && \
|
||||
git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/" && \
|
||||
cargo build --release --bin aldabra && \
|
||||
RUN cargo build --release --bin aldabra && \
|
||||
strip target/release/aldabra
|
||||
|
||||
FROM debian:bookworm-slim AS runtime
|
||||
|
|
|
|||
|
|
@ -1,70 +0,0 @@
|
|||
# Internal build URL rewrites
|
||||
|
||||
Aldabra's source declares its pallas-fork dependencies via public github
|
||||
URLs (`https://github.com/Sulkta-Coop/pallas`) so that external clones
|
||||
build out of the box. Sulkta-internal hosts (Lucy, crafting-table, dev
|
||||
containers) short-circuit those fetches to the LAN gitea over SSH using
|
||||
git's `url.<base>.insteadOf` rewrite — same locked SHA, no network egress.
|
||||
|
||||
The rewrite is **environment-level config**, not source-of-truth. Source
|
||||
stays portable; routing is per-host.
|
||||
|
||||
## What to add on Sulkta-internal hosts
|
||||
|
||||
One block in `~/.gitconfig` (or `git config --global`):
|
||||
|
||||
```ini
|
||||
[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"]
|
||||
insteadOf = https://github.com/Sulkta-Coop/
|
||||
|
||||
[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"]
|
||||
insteadOf = https://gitlab.com/sulkta/
|
||||
```
|
||||
|
||||
Equivalent CLI:
|
||||
|
||||
```bash
|
||||
git config --global url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/"
|
||||
git config --global --add url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/"
|
||||
```
|
||||
|
||||
(`--add` on the second line because both rewrites share the same
|
||||
substitution key — git supports multiple `insteadOf` values per key.)
|
||||
|
||||
Symmetric handling: forks from EITHER public mirror (github.com or
|
||||
gitlab.com) route back to LAN gitea. External clones get the public path.
|
||||
|
||||
## Prereqs
|
||||
|
||||
- `gitea.sulkta.lan` resolves to `192.168.0.5` (or whichever IP holds
|
||||
the gitea container). The Sulkta LAN DNS chain provides this — see
|
||||
`lucy-infra/CHANGELOG.md` for the per-host DNS setup.
|
||||
- An SSH key registered with a gitea account that has read access to
|
||||
`Sulkta-Coop/pallas`. The build container uses `--mount=type=secret,
|
||||
id=git_credentials` for HTTP+PAT instead — see the Dockerfile.
|
||||
|
||||
## Why URLs over hostnames or IPs in source
|
||||
|
||||
`Cargo.toml` and `Cargo.lock` get cloned by anyone who forks. Embedding
|
||||
LAN IPs there makes the lockfile fail to fetch for everyone outside the
|
||||
LAN. Embedding `gitea.sulkta.lan` would have the same problem —
|
||||
`.sulkta.lan` is not a public DNS name.
|
||||
|
||||
The cleanest decoupling is "source says public URL, environment rewrites
|
||||
to wherever the bits actually live." That's what this doc enables.
|
||||
|
||||
## Verifying the rewrite is in effect
|
||||
|
||||
```bash
|
||||
git ls-remote https://github.com/Sulkta-Coop/pallas | head -1
|
||||
```
|
||||
|
||||
With the rewrite active, you should see git connect to
|
||||
`gitea.sulkta.lan:23` (visible with `GIT_SSH_COMMAND='ssh -v' git ...`).
|
||||
Without it, traffic goes to github.com.
|
||||
|
||||
A `cargo fetch` should report the same locked SHA either way:
|
||||
|
||||
```
|
||||
8091abd1b45c716453b7360def29311cf4600c0d
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue