hosts/osmium: deploy nixfiles inputs update script

2023-09-01 16:38:34 +02:00 · 2023-09-01 16:38:34 +02:00 · 553542071d
parent b83055e0af
commit 553542071d
5 changed files with 36 additions and 6 deletions
--- a/hosts/osmium/configuration.nix
+++ b/hosts/osmium/configuration.nix
@ -5,6 +5,8 @@
    [
      ./hardware-configuration.nix
      ../../configuration/proxmox-vm
+
+      ./nixfiles-updated-inputs.nix
    ];

  boot.loader.grub.enable = true;
--- a/hosts/osmium/nixfiles-updated-inputs.nix
+++ b/hosts/osmium/nixfiles-updated-inputs.nix
@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.nixfiles-updated-inputs = {
+    environment = {
+      GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/nixfiles-updated-inputs-ssh";
+      # nix likes a home directory to place the cache there
+      HOME = "/var/lib/nixfiles-updated-inputs";
+    };
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.nixfiles-updated-inputs + "/bin/nixfiles-updated-inputs";
+      StateDirectory = "nixfiles-updated-inputs";
+      WorkingDirectory = "/var/lib/nixfiles-updated-inputs";
+      DynamicUser = true;
+      # this sets the correct file permissions for the ssh key because we use DynamicUser
+      LoadCredential = "nixfiles-updated-inputs-ssh:${config.age.secrets."nixfiles-updated-inputs-ssh".path}";
+    };
+    startAt = "*-*-* 03:03:00";
+  };
+}
--- a/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age
+++ b/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age
--- a/pkgs/nixfiles/default.nix
+++ b/pkgs/nixfiles/default.nix
@ -1,10 +1,12 @@
 { pkgs, ... }:

 pkgs.writeShellApplication {
-  name = "nixfiles-updated-inputs.sh";
+  name = "nixfiles-updated-inputs";
  text = builtins.readFile ./nixfiles-updated-inputs.sh;
-  runtimeInputs = [
-    pkgs.git
+  runtimeInputs = with pkgs; [
+    git
+    nix
+    openssh
  ];
 }

--- a/pkgs/nixfiles/nixfiles-updated-inputs.sh
+++ b/pkgs/nixfiles/nixfiles-updated-inputs.sh
@ -4,10 +4,15 @@ set -euo pipefail

 NOW="$(date --utc --iso-8601=minutes)"

-git fetch origin master
+git status || git clone gitea@git.clerie.de:clerie/nixfiles.git .
+echo "[!] Download changes"
+git fetch --all
 git checkout updated-inputs
-git merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
+git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
+echo "[!] Update inputs"
 nix flake update
+echo "[!] Commit changes"
 git add flake.lock
-git commit -m "Flake update ${NOW}" || true
+git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" commit -m "Flake update ${NOW}" || true
+echo "[!] Publish"
 git push origin updated-inputs