hydra: add updater to flake update regularly

hosts/containers/hydra/default.nix

@@ -1,7 +1,11 @@
 { zentralwerk, config, pkgs, lib, ... }:
 
 {
-  imports = [ ./hydra.nix ./cache.nix ];
+  imports = [
+    ./hydra.nix
+    ./cache.nix
+    ./updater.nix
+  ];
 
   c3d2 = {
     users = {

hosts/containers/hydra/updater.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+{
+  # Build user
+  users.groups.updater = {};
+  users.users.updater = {
+    isSystemUser = true;
+    group = "updater";
+    home = "/var/lib/updater";
+  };
+
+  systemd.tmpfiles.rules = [
+    # needs to be provisioned with ssh privkey
+    "d ${config.users.users.updater.home} 0700 updater ${config.users.users.updater.group} -"
+  ];
+
+  # Build script
+  systemd.services.updater = {
+    wantedBy = [ "multi-user.target" ];
+    path = with pkgs; [ git nixFlakes curl ];
+    script = ''
+      TEMP=$(mktemp -d)
+      cd $TEMP
+
+      git clone --depth=1 --single-branch gitea@gitea.c3d2.de:C3D2/nix-config.git
+      cd nix-config
+      nix flake update
+
+      git config user.email "astro@spaceboyz.net"
+      git config user.name "Astrobot"
+
+      git add flake.lock
+      git commit -m "flake.lock: update"
+      git push -f origin HEAD:flake-update
+    '';
+    serviceConfig = {
+      User = "updater";
+      Group = config.users.users.updater.group;
+      PrivateTmp = true;
+      ProtectSystem = "full";
+    };
+  };
+
+  systemd.timers.updater = {
+    partOf = [ "updater.service" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig.OnCalendar = "hourly";
+  };
+}