diff --git a/Dockerfile b/Dockerfile index 8ffe9fe..ed8ac85 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,20 +45,7 @@ COPY crates ./crates # trick above leaves stale build artifacts otherwise. RUN find crates -name '*.rs' -exec touch {} + -# Build-time URL rewrite: route the public github/gitlab pallas URLs -# (which is what Cargo.toml declares — source-of-truth, portable to -# external clones) back to the LAN gitea over HTTP+PAT. This is purely -# a fetch-time short-circuit: no LAN URL or credential is baked into -# Cargo.lock or the image. The lock file's locked SHA stays identical -# whether fetched via github, gitlab, or local gitea. -# -# Pass `--secret id=git_credentials,src=` where is one -# line: http://USER:PAT@gitea.sulkta.lan:3001 -RUN --mount=type=secret,id=git_credentials,target=/root/.git-credentials,mode=0400,required=true \ - git config --global credential.helper store && \ - git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/" && \ - git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/" && \ - cargo build --release --bin aldabra && \ +RUN cargo build --release --bin aldabra && \ strip target/release/aldabra FROM debian:bookworm-slim AS runtime diff --git a/docs/internal-build-rewrites.md b/docs/internal-build-rewrites.md deleted file mode 100644 index 46be730..0000000 --- a/docs/internal-build-rewrites.md +++ /dev/null @@ -1,70 +0,0 @@ -# Internal build URL rewrites - -Aldabra's source declares its pallas-fork dependencies via public github -URLs (`https://github.com/Sulkta-Coop/pallas`) so that external clones -build out of the box. Sulkta-internal hosts (Lucy, crafting-table, dev -containers) short-circuit those fetches to the LAN gitea over SSH using -git's `url..insteadOf` rewrite — same locked SHA, no network egress. - -The rewrite is **environment-level config**, not source-of-truth. Source -stays portable; routing is per-host. - -## What to add on Sulkta-internal hosts - -One block in `~/.gitconfig` (or `git config --global`): - -```ini -[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"] - insteadOf = https://github.com/Sulkta-Coop/ - -[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"] - insteadOf = https://gitlab.com/sulkta/ -``` - -Equivalent CLI: - -```bash -git config --global url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/" -git config --global --add url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/" -``` - -(`--add` on the second line because both rewrites share the same -substitution key — git supports multiple `insteadOf` values per key.) - -Symmetric handling: forks from EITHER public mirror (github.com or -gitlab.com) route back to LAN gitea. External clones get the public path. - -## Prereqs - -- `gitea.sulkta.lan` resolves to `192.168.0.5` (or whichever IP holds - the gitea container). The Sulkta LAN DNS chain provides this — see - `lucy-infra/CHANGELOG.md` for the per-host DNS setup. -- An SSH key registered with a gitea account that has read access to - `Sulkta-Coop/pallas`. The build container uses `--mount=type=secret, - id=git_credentials` for HTTP+PAT instead — see the Dockerfile. - -## Why URLs over hostnames or IPs in source - -`Cargo.toml` and `Cargo.lock` get cloned by anyone who forks. Embedding -LAN IPs there makes the lockfile fail to fetch for everyone outside the -LAN. Embedding `gitea.sulkta.lan` would have the same problem — -`.sulkta.lan` is not a public DNS name. - -The cleanest decoupling is "source says public URL, environment rewrites -to wherever the bits actually live." That's what this doc enables. - -## Verifying the rewrite is in effect - -```bash -git ls-remote https://github.com/Sulkta-Coop/pallas | head -1 -``` - -With the rewrite active, you should see git connect to -`gitea.sulkta.lan:23` (visible with `GIT_SSH_COMMAND='ssh -v' git ...`). -Without it, traffic goes to github.com. - -A `cargo fetch` should report the same locked SHA either way: - -``` -8091abd1b45c716453b7360def29311cf4600c0d -```