60 lines
1.7 KiB
Nix
60 lines
1.7 KiB
Nix
{ config, self, pkgs, ... }: {
|
|
|
|
sops.secrets.clan-bot-gitea-token = { };
|
|
sops.secrets.clan-bot-ssh-key = { };
|
|
|
|
systemd.timers.job-flake-update = {
|
|
description = "Time for flake update workflow";
|
|
partOf = [ "job-flake-update.service" ];
|
|
wantedBy = [ "timers.target" ];
|
|
timerConfig = {
|
|
Persistent = true;
|
|
OnCalendar = "daily";
|
|
};
|
|
after = [ "network-online.target" ];
|
|
};
|
|
|
|
# service to for automatic merge bot
|
|
systemd.services.job-flake-update = {
|
|
description = "Automatically update flake inputs for clan-repos";
|
|
after = [ "network-online.target" ];
|
|
environment = {
|
|
# secrets
|
|
GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE";
|
|
CLAN_BOT_SSH_KEY_FILE = "%d/CLAN_BOT_SSH_KEY_FILE";
|
|
|
|
HOME = "/run/job-flake-update";
|
|
|
|
# used by action-checkout
|
|
REPO_DIR = "/run/job-flake-update/repo";
|
|
|
|
# used by git
|
|
GIT_SSH_COMMAND="ssh -i %d/CLAN_BOT_SSH_KEY_FILE -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
|
|
|
|
# prevent these variables from being unset by writePureShellScript
|
|
KEEP_VARS="GIT_SSH_COMMAND GITEA_URL";
|
|
|
|
};
|
|
serviceConfig = {
|
|
LoadCredential = [
|
|
"GITEA_TOKEN_FILE:${config.sops.secrets.clan-bot-gitea-token.path}"
|
|
"CLAN_BOT_SSH_KEY_FILE:${config.sops.secrets.clan-bot-ssh-key.path}"
|
|
];
|
|
DynamicUser = true;
|
|
RuntimeDirectory = "job-flake-update";
|
|
WorkingDirectory = "/run/job-flake-update";
|
|
};
|
|
path = [
|
|
pkgs.tea
|
|
self.packages.${pkgs.system}.job-flake-update
|
|
];
|
|
script = ''
|
|
tea login add \
|
|
--token $(cat $GITEA_TOKEN_FILE) \
|
|
--url https://git.clan.lol
|
|
|
|
job-flake-update
|
|
'';
|
|
};
|
|
}
|