From 553542071d797a13c9c11686b2d350d56bb1a0a7 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Fri, 1 Sep 2023 16:38:34 +0200
Subject: [PATCH] hosts/osmium: deploy nixfiles inputs update script

---
 hosts/osmium/configuration.nix                |   2 ++
 hosts/osmium/nixfiles-updated-inputs.nix      |  21 ++++++++++++++++++
 .../secrets/nixfiles-updated-inputs-ssh.age   | Bin 0 -> 790 bytes
 pkgs/nixfiles/default.nix                     |   8 ++++---
 pkgs/nixfiles/nixfiles-updated-inputs.sh      |  11 ++++++---
 5 files changed, 36 insertions(+), 6 deletions(-)
 create mode 100644 hosts/osmium/nixfiles-updated-inputs.nix
 create mode 100644 hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age

diff --git a/hosts/osmium/configuration.nix b/hosts/osmium/configuration.nix
index dc437dc..592b3e2 100644
--- a/hosts/osmium/configuration.nix
+++ b/hosts/osmium/configuration.nix
@@ -5,6 +5,8 @@
     [
       ./hardware-configuration.nix
       ../../configuration/proxmox-vm
+
+      ./nixfiles-updated-inputs.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/hosts/osmium/nixfiles-updated-inputs.nix b/hosts/osmium/nixfiles-updated-inputs.nix
new file mode 100644
index 0000000..cff6766
--- /dev/null
+++ b/hosts/osmium/nixfiles-updated-inputs.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.nixfiles-updated-inputs = {
+    environment = {
+      GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/nixfiles-updated-inputs-ssh";
+      # nix likes a home directory to place the cache there
+      HOME = "/var/lib/nixfiles-updated-inputs";
+    };
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.nixfiles-updated-inputs + "/bin/nixfiles-updated-inputs";
+      StateDirectory = "nixfiles-updated-inputs";
+      WorkingDirectory = "/var/lib/nixfiles-updated-inputs";
+      DynamicUser = true;
+      # this sets the correct file permissions for the ssh key because we use DynamicUser
+      LoadCredential = "nixfiles-updated-inputs-ssh:${config.age.secrets."nixfiles-updated-inputs-ssh".path}";
+    };
+    startAt = "*-*-* 03:03:00";
+  };
+}
diff --git a/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age b/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age
new file mode 100644
index 0000000000000000000000000000000000000000..497a234cd2722427ed23d06b1e6f4cca0940d45f
GIT binary patch
literal 790
zcmV+x1L^!>XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LNOw{*Gj||v
zVKq~CaAr*~a%4kSIXO5~Q&?0qYi@XQQdv?=c~CY*O>0hhc5-KTGEoXaRa01VQ7>jU
zW<)eeXHrcvOg2L?aalo8ICE}uIa5n3VQFz<MKwZ6RWJ%IJ|J^*Xf0)AGBq_ZIUr>@
zHA^vPAbEB<Zf{UnQ#VgzaZY7HdQf>)axryNdTDKGXi_mmVnIVWH)&B;R#Q?i3NS%9
zX)|U~S7s|uK~!x|RdsGLP);v0D|%6KZgN*fb~sLOMs-0pc6BjH3N1b$R4I8!Xi8))
zXL4m>b7df53Q2V|VM<YAMq_15Y+`gpc58G-Z#HmbO?XLEPzo(AEg)zxMmA<~F-UDI
zL}o%pZ%|M)ICL;$F>QEgQ*c6INH#=aZCO`pPEt{KNeUp<rUoM3Oa+cHZP=cpo~Njm
zF6PwF`X~r!&&mxqVZJ=_R__T)DZ--35Y+FJ7h{a8WaJMUfiJBl$kaM$Hpxy*Y&47H
zBWDv9b4)6%OkAP|u19V8hT_n7r^(u2ZN96Hc$-$-_tDr6kf8Qd_n>ZS0N~>x$#%E%
zPDeOO+>c#sxaiqzc=~BHWrfu_jE65fDDR%mb+2$QA67Hj?Wkh4O8Z2&K9?GTJqhn0
z+tsE+B@Kx56$s-D%e#AzJK`I9u=JHD+%x#M$orl`ujV}&<E;LWzqGcgnr<s9VBK(^
zyX8MTEi@N4i!xlm&9r@)Z#=DU+)ZcSkj%EIkJ+QhDDTucA|JjI_!aUegczUN@#roi
ztYvC~KCXs=fn1Ng@LYDLn}U@e)@H$<<1;b<oOX?QOs8$2v!w;cF>nxDdTMy%Z-Y(y
z833|x#{gF2@E{TfE7lWfMD3O&C=WZuY3D&toY}bgk()1EdLXn=O?T2$QBS2>X8mrx
zZvBIRyhzTWKnsBvT}tc*t8XHjLf9XZZ0a2Oq3gjEQH{$Oi6-Rxx7D!C?YWU2Lg;I)
Un#?j>jD)tK@0TSXKXHJS>WofMRsaA1

literal 0
HcmV?d00001

diff --git a/pkgs/nixfiles/default.nix b/pkgs/nixfiles/default.nix
index 20353ce..bab538a 100644
--- a/pkgs/nixfiles/default.nix
+++ b/pkgs/nixfiles/default.nix
@@ -1,10 +1,12 @@
 { pkgs, ... }:
 
 pkgs.writeShellApplication {
-  name = "nixfiles-updated-inputs.sh";
+  name = "nixfiles-updated-inputs";
   text = builtins.readFile ./nixfiles-updated-inputs.sh;
-  runtimeInputs = [
-    pkgs.git
+  runtimeInputs = with pkgs; [
+    git
+    nix
+    openssh
   ];
 }
 
diff --git a/pkgs/nixfiles/nixfiles-updated-inputs.sh b/pkgs/nixfiles/nixfiles-updated-inputs.sh
index b8a2806..282cef4 100755
--- a/pkgs/nixfiles/nixfiles-updated-inputs.sh
+++ b/pkgs/nixfiles/nixfiles-updated-inputs.sh
@@ -4,10 +4,15 @@ set -euo pipefail
 
 NOW="$(date --utc --iso-8601=minutes)"
 
-git fetch origin master
+git status || git clone gitea@git.clerie.de:clerie/nixfiles.git .
+echo "[!] Download changes"
+git fetch --all
 git checkout updated-inputs
-git merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
+git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
+echo "[!] Update inputs"
 nix flake update
+echo "[!] Commit changes"
 git add flake.lock
-git commit -m "Flake update ${NOW}" || true
+git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" commit -m "Flake update ${NOW}" || true
+echo "[!] Publish"
 git push origin updated-inputs