diff --git a/Cargo.lock b/Cargo.lock index d519445..e5e5e43 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1292,7 +1292,7 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "pallas-addresses" version = "0.32.1" -source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" +source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" dependencies = [ "base58", "bech32", @@ -1307,7 +1307,7 @@ dependencies = [ [[package]] name = "pallas-codec" version = "0.32.1" -source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" +source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" dependencies = [ "hex", "minicbor", @@ -1318,7 +1318,7 @@ dependencies = [ [[package]] name = "pallas-crypto" version = "0.32.1" -source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" +source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" dependencies = [ "cryptoxide", "hex", @@ -1332,7 +1332,7 @@ dependencies = [ [[package]] name = "pallas-primitives" version = "0.32.1" -source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" +source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" dependencies = [ "base58", "bech32", @@ -1347,7 +1347,7 @@ dependencies = [ [[package]] name = "pallas-traverse" version = "0.32.1" -source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" +source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" dependencies = [ "hex", "itertools", @@ -1363,7 +1363,7 @@ dependencies = [ [[package]] name = "pallas-txbuilder" version = "0.32.1" -source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" +source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" dependencies = [ "hex", "pallas-addresses", @@ -1380,7 +1380,7 @@ dependencies = [ [[package]] name = "pallas-wallet" version = "0.32.1" -source = "git+ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" +source = "git+https://github.com/Sulkta-Coop/pallas.git?branch=feat-aux-data#8091abd1b45c716453b7360def29311cf4600c0d" dependencies = [ "bech32", "bip39", diff --git a/Cargo.toml b/Cargo.toml index ae950b0..34d53f4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -27,7 +27,7 @@ members = [ version = "0.0.1" edition = "2021" license-file = "LICENSE" -repository = "http://192.168.0.5:3001/Sulkta-Coop/aldabra" +repository = "https://github.com/Sulkta-Coop/aldabra" authors = ["Cobb ", "Kayos "] [workspace.dependencies] @@ -95,16 +95,22 @@ toml = "0.9" # rpassword is the standard "tty echo off" prompt crate. rpassword = "7" -# Vendored fork of txpipe/pallas with auxiliary_data support added to -# pallas-txbuilder (upstream had TODO markers we filled in). Patches -# all pallas-* crates so the version graph resolves consistently -# against the same commit. PR upstream pending; switch back to -# crates.io once merged. +# Vendored fork of txpipe/pallas with auxiliary_data + voting_procedures +# support added to pallas-txbuilder (upstream had TODO markers we filled +# in). Patches all pallas-* crates so the version graph resolves +# consistently against the same commit. PR upstream pending; switch back +# to crates.io once merged. +# +# Source URLs point at the public github mirror so external clones build +# out of the box. Sulkta-internal builds short-circuit to the LAN gitea +# via a `git config url.*.insteadOf` rewrite — no network egress, same +# locked SHA. See `docs/internal-build-rewrites.md` for the one-line +# config that wires that up on Lucy + crafting-table + dev hosts. [patch.crates-io] -pallas-codec = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-crypto = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-primitives = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-traverse = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-addresses = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-wallet = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-txbuilder = { git = "ssh://git@192.168.0.5:23/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-codec = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-crypto = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-primitives = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-traverse = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-addresses = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-wallet = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-txbuilder = { git = "https://github.com/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } diff --git a/Dockerfile b/Dockerfile index 5f34cc2..8ffe9fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,14 +45,19 @@ COPY crates ./crates # trick above leaves stale build artifacts otherwise. RUN find crates -name '*.rs' -exec touch {} + -# Fetch the pallas patch dep via HTTP+PAT at build time. Source URLs -# stay SSH (Cargo.toml + Cargo.lock) — the rewrite is git-CLI-level -# only, so no credential gets baked into the lock file or the image. +# Build-time URL rewrite: route the public github/gitlab pallas URLs +# (which is what Cargo.toml declares — source-of-truth, portable to +# external clones) back to the LAN gitea over HTTP+PAT. This is purely +# a fetch-time short-circuit: no LAN URL or credential is baked into +# Cargo.lock or the image. The lock file's locked SHA stays identical +# whether fetched via github, gitlab, or local gitea. +# # Pass `--secret id=git_credentials,src=` where is one -# line: http://USER:PAT@192.168.0.5:3001 +# line: http://USER:PAT@gitea.sulkta.lan:3001 RUN --mount=type=secret,id=git_credentials,target=/root/.git-credentials,mode=0400,required=true \ git config --global credential.helper store && \ - git config --global url."http://192.168.0.5:3001/".insteadOf "ssh://git@192.168.0.5:23/" && \ + git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/" && \ + git config --global url."http://gitea.sulkta.lan:3001/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/" && \ cargo build --release --bin aldabra && \ strip target/release/aldabra diff --git a/docs/internal-build-rewrites.md b/docs/internal-build-rewrites.md new file mode 100644 index 0000000..46be730 --- /dev/null +++ b/docs/internal-build-rewrites.md @@ -0,0 +1,70 @@ +# Internal build URL rewrites + +Aldabra's source declares its pallas-fork dependencies via public github +URLs (`https://github.com/Sulkta-Coop/pallas`) so that external clones +build out of the box. Sulkta-internal hosts (Lucy, crafting-table, dev +containers) short-circuit those fetches to the LAN gitea over SSH using +git's `url..insteadOf` rewrite — same locked SHA, no network egress. + +The rewrite is **environment-level config**, not source-of-truth. Source +stays portable; routing is per-host. + +## What to add on Sulkta-internal hosts + +One block in `~/.gitconfig` (or `git config --global`): + +```ini +[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"] + insteadOf = https://github.com/Sulkta-Coop/ + +[url "ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/"] + insteadOf = https://gitlab.com/sulkta/ +``` + +Equivalent CLI: + +```bash +git config --global url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://github.com/Sulkta-Coop/" +git config --global --add url."ssh://git@gitea.sulkta.lan:23/Sulkta-Coop/".insteadOf "https://gitlab.com/sulkta/" +``` + +(`--add` on the second line because both rewrites share the same +substitution key — git supports multiple `insteadOf` values per key.) + +Symmetric handling: forks from EITHER public mirror (github.com or +gitlab.com) route back to LAN gitea. External clones get the public path. + +## Prereqs + +- `gitea.sulkta.lan` resolves to `192.168.0.5` (or whichever IP holds + the gitea container). The Sulkta LAN DNS chain provides this — see + `lucy-infra/CHANGELOG.md` for the per-host DNS setup. +- An SSH key registered with a gitea account that has read access to + `Sulkta-Coop/pallas`. The build container uses `--mount=type=secret, + id=git_credentials` for HTTP+PAT instead — see the Dockerfile. + +## Why URLs over hostnames or IPs in source + +`Cargo.toml` and `Cargo.lock` get cloned by anyone who forks. Embedding +LAN IPs there makes the lockfile fail to fetch for everyone outside the +LAN. Embedding `gitea.sulkta.lan` would have the same problem — +`.sulkta.lan` is not a public DNS name. + +The cleanest decoupling is "source says public URL, environment rewrites +to wherever the bits actually live." That's what this doc enables. + +## Verifying the rewrite is in effect + +```bash +git ls-remote https://github.com/Sulkta-Coop/pallas | head -1 +``` + +With the rewrite active, you should see git connect to +`gitea.sulkta.lan:23` (visible with `GIT_SSH_COMMAND='ssh -v' git ...`). +Without it, traffic goes to github.com. + +A `cargo fetch` should report the same locked SHA either way: + +``` +8091abd1b45c716453b7360def29311cf4600c0d +```