91 lines
2.5 KiB
Nix
91 lines
2.5 KiB
Nix
{ config, pkgs, ... }:
|
|
let
|
|
updateCommand = "/run/current-system/sw/bin/systemctl start updater.service";
|
|
in
|
|
{
|
|
# Build user
|
|
users = {
|
|
groups.updater = {};
|
|
users.updater = {
|
|
isSystemUser = true;
|
|
group = "updater";
|
|
home = "/var/lib/updater";
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
# Timer-triggered service that updates flake.lock and pushes to a branch to be picked up by Hydra.
|
|
services.updater = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
path = with pkgs; [ git nixFlakes curl openssh ];
|
|
script = ''
|
|
git config --global user.email "astro@spaceboyz.net"
|
|
git config --global user.name "Astrobot"
|
|
|
|
TEMP=$(mktemp -d)
|
|
cd $TEMP
|
|
|
|
git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git
|
|
cd nix-config
|
|
nix flake update --commit-lock-file
|
|
|
|
git push -f origin HEAD:flake-update
|
|
'';
|
|
serviceConfig = {
|
|
User = "updater";
|
|
Group = config.users.users.updater.group;
|
|
PrivateTmp = true;
|
|
ProtectSystem = "full";
|
|
};
|
|
};
|
|
|
|
timers.updater = {
|
|
partOf = [ "updater.service" ];
|
|
wantedBy = [ "timers.target" ];
|
|
# update flake.lock daily at 10am so that systems are freshly
|
|
# built by afternoon
|
|
timerConfig.OnCalendar = "10:00";
|
|
};
|
|
|
|
tmpfiles.rules = [
|
|
# needs to be provisioned with ssh privkey
|
|
"d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -"
|
|
];
|
|
};
|
|
|
|
# make webhook service accessible thru reverse proxy
|
|
services.nginx
|
|
.virtualHosts."hydra.serv.zentralwerk.org"
|
|
.locations."/hooks/"
|
|
.proxyPass = "http://localhost:9000/hooks/";
|
|
# webhook trigger for gitea
|
|
systemd.services.webhook =
|
|
let
|
|
hooksJson = pkgs.writeText "hooks.json" (builtins.toJSON [ {
|
|
# https://hydra.serv.zentralwerk.org/hooks/updater
|
|
id = "updater";
|
|
execute-command = pkgs.writeShellScript "updater" ''
|
|
# Start updater.service if not already running
|
|
exec /run/wrappers/bin/sudo ${updateCommand}
|
|
'';
|
|
} ]);
|
|
in {
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.webhook}/bin/webhook -hooks ${hooksJson} -verbose -ip 127.0.0.1";
|
|
User = "updater";
|
|
Group = config.users.users.updater.group;
|
|
PrivateTmp = true;
|
|
ProtectSystem = "full";
|
|
};
|
|
};
|
|
security.sudo.extraRules = [ {
|
|
users = [ "updater" ];
|
|
commands = [ {
|
|
command = updateCommand;
|
|
options = [ "NOPASSWD" ];
|
|
} ];
|
|
} ];
|
|
|
|
}
|