chore: replace LAN-IP refs with public mirror URLs

Cargo.toml + Cargo.lock now point at https://github.com/Sulkta-Coop/pallas
for the pallas-fork patch entries. External clones from either public
mirror (github.com/Sulkta-Coop or gitlab.com/sulkta) build out of the box
— no LAN access needed.

Sulkta-internal builds short-circuit to LAN gitea via a `git config
url.X.insteadOf` rewrite on each host. Symmetric: covers both github and
gitlab → gitea. Same locked SHA either way; routing is environment-level,
not source-of-truth. See docs/internal-build-rewrites.md.

Dockerfile build-time rewrite also flipped to take public-URL inputs;
uses `gitea.sulkta.lan` instead of the bare LAN IP.

Cargo.lock

@@ -1292,7 +1292,7 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 [[package]]
 name = "pallas-addresses"
 version = "0.32.1"
-source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
+source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
 dependencies = [
  "base58",
  "bech32",
@@ -1307,7 +1307,7 @@ dependencies = [
 [[package]]
 name = "pallas-codec"
 version = "0.32.1"
-source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
+source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
 dependencies = [
  "hex",
  "minicbor",
@@ -1318,7 +1318,7 @@ dependencies = [
 [[package]]
 name = "pallas-crypto"
 version = "0.32.1"
-source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
+source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
 dependencies = [
  "cryptoxide",
  "hex",
@@ -1332,7 +1332,7 @@ dependencies = [
 [[package]]
 name = "pallas-primitives"
 version = "0.32.1"
-source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
+source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
 dependencies = [
  "base58",
  "bech32",
@@ -1347,7 +1347,7 @@ dependencies = [
 [[package]]
 name = "pallas-traverse"
 version = "0.32.1"
-source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
+source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
 dependencies = [
  "hex",
  "itertools",
@@ -1363,7 +1363,7 @@ dependencies = [
 [[package]]
 name = "pallas-txbuilder"
 version = "0.32.1"
-source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
+source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
 dependencies = [
  "hex",
  "pallas-addresses",
@@ -1380,7 +1380,7 @@ dependencies = [
 [[package]]
 name = "pallas-wallet"
 version = "0.32.1"
-source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
+source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d"
 dependencies = [
  "bech32",
  "bip39",

Cargo.toml

@@ -27,7 +27,7 @@ members = [
 version = "0.0.1"
 edition = "2021"
 license-file = "LICENSE"
-repository = "http://192.168.0.5:3001/Sulkta-Coop/aldabra"
+repository = "https://github.com/Sulkta-Coop/aldabra"
 authors = ["Cobb <cobb@sulkta.com>", "Kayos <kayos@sulkta.com>"]
 
 [workspace.dependencies]
@@ -95,16 +95,22 @@ toml = "0.9"
 # rpassword is the standard "tty echo off" prompt crate.
 rpassword = "7"
 
-# Vendored fork of txpipe/pallas with auxiliary_data support added to
-# pallas-txbuilder (upstream had TODO markers we filled in). Patches
-# all pallas-* crates so the version graph resolves consistently
-# against the same commit. PR upstream pending; switch back to
-# crates.io once merged.
+# Vendored fork of txpipe/pallas with auxiliary_data + voting_procedures
+# support added to pallas-txbuilder (upstream had TODO markers we filled
+# in). Patches all pallas-* crates so the version graph resolves
+# consistently against the same commit. PR upstream pending; switch back
+# to crates.io once merged.
+#
+# Source URLs point at the public github mirror so external clones build
+# out of the box. Sulkta-internal builds short-circuit to the LAN gitea
+# via a `git config url.*.insteadOf` rewrite — no network egress, same
+# locked SHA. See `docs/internal-build-rewrites.md` for the one-line
+# config that wires that up on Lucy + crafting-table + dev hosts.
 [patch.crates-io]
-pallas-codec      = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-crypto     = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-primitives = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-traverse   = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-addresses  = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-wallet     = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
-pallas-txbuilder  = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-codec      = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-crypto     = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-primitives = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-traverse   = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-addresses  = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-wallet     = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }
+pallas-txbuilder  = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }

Dockerfile

@@ -45,14 +45,19 @@ COPY crates ./crates
 # trick above leaves stale build artifacts otherwise.
 RUN find crates -name '*.rs' -exec touch {} +
 
-# Fetch the pallas patch dep via HTTP+PAT at build time. Source URLs
-# stay SSH (Cargo.toml + Cargo.lock) — the rewrite is git-CLI-level
-# only, so no credential gets baked into the lock file or the image.
+# Build-time URL rewrite: route the public github/gitlab pallas URLs
+# (which is what Cargo.toml declares — source-of-truth, portable to
+# external clones) back to the LAN gitea over HTTP+PAT. This is purely
+# a fetch-time short-circuit: no LAN URL or credential is baked into
+# Cargo.lock or the image. The lock file's locked SHA stays identical
+# whether fetched via github, gitlab, or local gitea.
+#
 # Pass `--secret id=git_credentials,src=<file>` where <file> is one
-# line: http://USER:PAT@192.168.0.5:3001
+# line: http://USER:PAT@gitea.sulkta.lan:3001
 RUN --mount=type=secret,id=git_credentials,target=/root/.git-credentials,mode=0400,required=true \
     git config --global credential.helper store && \
-    git config --global url."http://192.168.0.5:3001/".insteadOf "ssh://git@192.168.0.5:23/" && \
+    git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/" && \
+    git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/" && \
     cargo build --release --bin aldabra && \
     strip target/release/aldabra
 

docs/internal-build-rewrites.md

@@ -0,0 +1,70 @@
+# Internal build URL rewrites
+
+Aldabra's source declares its pallas-fork dependencies via public github
+URLs (`https://github.com/Sulkta-Coop/pallas`) so that external clones
+build out of the box. Sulkta-internal hosts (Lucy, crafting-table, dev
+containers) short-circuit those fetches to the LAN gitea over SSH using
+git's `url.<base>.insteadOf` rewrite — same locked SHA, no network egress.
+
+The rewrite is **environment-level config**, not source-of-truth. Source
+stays portable; routing is per-host.
+
+## What to add on Sulkta-internal hosts
+
+One block in `~/.gitconfig` (or `git config --global`):
+
+```ini
+[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"]
+    insteadOf = https://github.com/Sulkta-Coop/
+
+[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"]
+    insteadOf = https://gitlab.com/sulkta/
+```
+
+Equivalent CLI:
+
+```bash
+git config --global url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/"
+git config --global --add url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/"
+```
+
+(`--add` on the second line because both rewrites share the same
+substitution key — git supports multiple `insteadOf` values per key.)
+
+Symmetric handling: forks from EITHER public mirror (github.com or
+gitlab.com) route back to LAN gitea. External clones get the public path.
+
+## Prereqs
+
+- `gitea.sulkta.lan` resolves to `192.168.0.5` (or whichever IP holds
+  the gitea container). The Sulkta LAN DNS chain provides this — see
+  `lucy-infra/CHANGELOG.md` for the per-host DNS setup.
+- An SSH key registered with a gitea account that has read access to
+  `Sulkta-Coop/pallas`. The build container uses `--mount=type=secret,
+  id=git_credentials` for HTTP+PAT instead — see the Dockerfile.
+
+## Why URLs over hostnames or IPs in source
+
+`Cargo.toml` and `Cargo.lock` get cloned by anyone who forks. Embedding
+LAN IPs there makes the lockfile fail to fetch for everyone outside the
+LAN. Embedding `gitea.sulkta.lan` would have the same problem —
+`.sulkta.lan` is not a public DNS name.
+
+The cleanest decoupling is "source says public URL, environment rewrites
+to wherever the bits actually live." That's what this doc enables.
+
+## Verifying the rewrite is in effect
+
+```bash
+git ls-remote https://github.com/Sulkta-Coop/pallas | head -1
+```
+
+With the rewrite active, you should see git connect to
+`gitea.sulkta.lan:23` (visible with `GIT_SSH_COMMAND='ssh -v' git ...`).
+Without it, traffic goes to github.com.
+
+A `cargo fetch` should report the same locked SHA either way:
+
+```
+8091abd1b45c716453b7360def29311cf4600c0d
+```