50 lines
1.3 KiB
Nix
50 lines
1.3 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
# Build user
|
|
users.groups.updater = {};
|
|
users.users.updater = {
|
|
isSystemUser = true;
|
|
group = "updater";
|
|
home = "/var/lib/updater";
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
# needs to be provisioned with ssh privkey
|
|
"d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -"
|
|
];
|
|
|
|
# Timer-triggered service that updates flake.lock and pushes to a
|
|
# branch to be picked up by Hydra.
|
|
systemd.services.updater = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
path = with pkgs; [ git nixFlakes curl ];
|
|
script = ''
|
|
git config --global user.email "astro@spaceboyz.net"
|
|
git config --global user.name "Astrobot"
|
|
|
|
TEMP=$(mktemp -d)
|
|
cd $TEMP
|
|
|
|
git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git
|
|
cd nix-config
|
|
nix flake update --commit-lock-file
|
|
|
|
git push -f origin HEAD:flake-update
|
|
'';
|
|
serviceConfig = {
|
|
User = "updater";
|
|
Group = config.users.users.updater.group;
|
|
PrivateTmp = true;
|
|
ProtectSystem = "full";
|
|
};
|
|
};
|
|
|
|
systemd.timers.updater = {
|
|
partOf = [ "updater.service" ];
|
|
wantedBy = [ "timers.target" ];
|
|
# update flake.lock daily at 10am so that systems are freshly
|
|
# built by afternoon
|
|
timerConfig.OnCalendar = "10:00";
|
|
};
|
|
}
|