diff --git a/flake-parts/job-flake-update/default.nix b/flake-parts/job-flake-update/default.nix index 33029ab..4e0717e 100644 --- a/flake-parts/job-flake-update/default.nix +++ b/flake-parts/job-flake-update/default.nix @@ -13,8 +13,9 @@ pkgs.bash pkgs.coreutils self'.packages.action-checkout - self'.packages.action-flake-update + self'.packages.action-ensure-tea-login self'.packages.action-create-pr + self'.packages.action-flake-update ] '' bash ${./script.sh} diff --git a/flake-parts/job-flake-update/script.sh b/flake-parts/job-flake-update/script.sh index 70535cf..bc4a570 100644 --- a/flake-parts/job-flake-update/script.sh +++ b/flake-parts/job-flake-update/script.sh @@ -2,15 +2,22 @@ set -euo pipefail # prevent these variables from being unset by writePureShellScript -export KEEP_VARS="GIT_AUTHOR_NAME GIT_COMMITTER_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_EMAIL PR_TITLE REMOTE_BRANCH REPO REPO_DIR" +export KEEP_VARS="GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL GITEA_URL GITEA_USER PR_TITLE REMOTE_BRANCH REPO REPO_DIR${KEEP_VARS:+ $KEEP_VARS}" # configure variables for actions export PR_TITLE="Automatic flake update - $(date --iso-8601=minutes)" export REMOTE_BRANCH="flake-update-$(date --iso-8601)" -export REPO="https://git.clan.lol/clan/clan-infra" +export REPO="gitea@git.clan.lol:clan/clan-infra.git" export REPO_DIR=$TMPDIR/repo +export GIT_AUTHOR_NAME="Clan Merge Bot" +export GIT_AUTHOR_EMAIL="clan-bot@git.clan.lol" +export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME" +export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_NAME" +export GITEA_USER="clan-bot" +export GITEA_URL="https://git.clan.lol" action-checkout cd $REPO_DIR +action-ensure-tea-login action-flake-update -action-create-pr +action-create-pr --assignees clan-bot diff --git a/modules/web01/job-flake-update.nix b/modules/web01/job-flake-update.nix index 99311b7..3483385 100644 --- a/modules/web01/job-flake-update.nix +++ b/modules/web01/job-flake-update.nix @@ -1,6 +1,7 @@ { config, self, pkgs, ... }: { - sops.secrets.merge-bot-gitea-token = { }; + sops.secrets.clan-bot-gitea-token = { }; + sops.secrets.clan-bot-ssh-key = { }; systemd.timers.job-flake-update = { description = "Time for flake update workflow"; @@ -18,28 +19,30 @@ description = "Automatically update flake inputs for clan-repos"; after = [ "network-online.target" ]; environment = { + # secrets GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE"; - # these ariables are repescted by git itself - GIT_AUTHOR_NAME = "Clan Merge Bot"; - GIT_COMMITTER_NAME = "Clan Merge Bot"; - GIT_AUTHOR_EMAIL = "clan-bot@git.clan.lol"; - GIT_COMMITTER_EMAIL = "clan-bot@git.clan.lol"; + CLAN_BOT_SSH_KEY_FILE = "%d/CLAN_BOT_SSH_KEY_FILE"; + + HOME = "/run/job-flake-update"; + + # used by action-checkout + REPO_DIR = "/run/job-flake-update/repo"; + + # used by git + GIT_SSH_COMMAND = "ssh -i %d/CLAN_BOT_SSH_KEY_FILE -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; + + # prevent these variables from being unset by writePureShellScript + KEEP_VARS = "GIT_SSH_COMMAND GITEA_TOKEN_FILE"; }; serviceConfig = { - LoadCredential = [ "GITEA_TOKEN_FILE:${config.sops.secrets.merge-bot-gitea-token.path}" ]; + LoadCredential = [ + "GITEA_TOKEN_FILE:${config.sops.secrets.clan-bot-gitea-token.path}" + "CLAN_BOT_SSH_KEY_FILE:${config.sops.secrets.clan-bot-ssh-key.path}" + ]; DynamicUser = true; RuntimeDirectory = "job-flake-update"; + WorkingDirectory = "/run/job-flake-update"; + ExecStart = "${self.packages.${pkgs.system}.job-flake-update}/bin/job-flake-update"; }; - path = [ - self.packages.${pkgs.system}.job-flake-update - self.packages.${pkgs.system}.job-flake-update - ]; - script = '' - cd /run/job-flake-update - mkdir -p home - export HOME=$(realpath home) - export REPO_DIR=$HOME/repo - job-flake-update - ''; }; }