49 lines
1.2 KiB
Nix
49 lines
1.2 KiB
Nix
|
{ config, pkgs, ... }:
|
||
|
{
|
||
|
# Build user
|
||
|
users.groups.updater = {};
|
||
|
users.users.updater = {
|
||
|
isSystemUser = true;
|
||
|
group = "updater";
|
||
|
home = "/var/lib/updater";
|
||
|
};
|
||
|
|
||
|
systemd.tmpfiles.rules = [
|
||
|
# needs to be provisioned with ssh privkey
|
||
|
"d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -"
|
||
|
];
|
||
|
|
||
|
# Build script
|
||
|
systemd.services.updater = {
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
path = with pkgs; [ git nixFlakes curl ];
|
||
|
script = ''
|
||
|
TEMP=$(mktemp -d)
|
||
|
cd $TEMP
|
||
|
|
||
|
git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git
|
||
|
cd nix-config
|
||
|
nix flake update
|
||
|
|
||
|
git config user.email "astro@spaceboyz.net"
|
||
|
git config user.name "Astrobot"
|
||
|
|
||
|
git add flake.lock
|
||
|
git commit -m "flake.lock: update"
|
||
|
git push -f origin HEAD:flake-update
|
||
|
'';
|
||
|
serviceConfig = {
|
||
|
User = "updater";
|
||
|
Group = config.users.users.updater.group;
|
||
|
PrivateTmp = true;
|
||
|
ProtectSystem = "full";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.timers.updater = {
|
||
|
partOf = [ "updater.service" ];
|
||
|
wantedBy = [ "timers.target" ];
|
||
|
timerConfig.OnCalendar = "hourly";
|
||
|
};
|
||
|
}
|