Replace Containerfile with Forgejo Actions
This commit is contained in:
parent
423a636d1f
commit
57040d5a76
2 changed files with 36 additions and 22 deletions
36
.gitea/workflows/update.yaml
Normal file
36
.gitea/workflows/update.yaml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
name: Update flake.lock
|
||||||
|
|
||||||
|
# PREREQUISITES:
|
||||||
|
# - Generate ssh key: `ssh-keygen -t ed25519 -f snowflake`.
|
||||||
|
# - Add private key to https://git.caspervk.net/caspervk/nixos/settings/actions/secrets as SNOWFLAKE_SSH_PRIVATE_KEY.
|
||||||
|
# - Add public key to https://git.caspervk.net/caspervk/nixos/settings/keys with WRITE access.
|
||||||
|
# - Add public key to https://git.caspervk.net/caspervk/nixos-secrets/settings/keys with READ access.
|
||||||
|
|
||||||
|
on:
|
||||||
|
# https://forgejo.org/docs/latest/user/actions/#onschedule
|
||||||
|
schedule:
|
||||||
|
- cron: "23 17 * * 1"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
update:
|
||||||
|
runs-on: debian-latest
|
||||||
|
container:
|
||||||
|
image: docker.io/nixos/nix:2.21.0
|
||||||
|
steps:
|
||||||
|
- run: |
|
||||||
|
# Configure SSH
|
||||||
|
mkdir ~/.ssh/
|
||||||
|
echo "git.caspervk.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd" > ~/.ssh/known_hosts
|
||||||
|
echo "${{ secrets.SNOWFLAKE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
|
||||||
|
chmod 0600 ~/.ssh/id_ed25519
|
||||||
|
|
||||||
|
# Checkout repository
|
||||||
|
git clone git@git.caspervk.net:caspervk/nixos.git
|
||||||
|
cd nixos/
|
||||||
|
|
||||||
|
# Update flake.lock
|
||||||
|
git config user.email "snowflake@caspervk.net"
|
||||||
|
git config user.name "snowflake"
|
||||||
|
nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file
|
||||||
|
git push
|
||||||
|
|
|
@ -1,22 +0,0 @@
|
||||||
# Automatic NixOS upgrades (modules/server/system.nix) requires updating
|
|
||||||
# flake.lock in the repository periodically. This repository is hosted on
|
|
||||||
# Gitea, which doesn't have good support for CI. Instead, this Containerfile
|
|
||||||
# is run on a server. This requires a Gitea access token[1] with repository
|
|
||||||
# read/write permissions. Note that we must use an account-wide access token to
|
|
||||||
# be able to clone through HTTPS (and utilise certificates rather than blindly
|
|
||||||
# trusting SSH keys), as repository deploy keys can only be used through
|
|
||||||
# SSH. The token should be passed as the GIT_PASSWORD environment variable.
|
|
||||||
# [1] https://git.caspervk.net/user/settings/applications
|
|
||||||
|
|
||||||
FROM nixos/nix:latest
|
|
||||||
|
|
||||||
CMD git clone https://caspervk:$GIT_PASSWORD@git.caspervk.net/caspervk/nixos.git && \
|
|
||||||
cd nixos/ && \
|
|
||||||
git config user.email "snowflake@caspervk.net" && \
|
|
||||||
git config user.name "snowflake" && \
|
|
||||||
# store in /dev/shm tmpfs to avoid an ever-growing nix store in the container
|
|
||||||
nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file --store /dev/shm && \
|
|
||||||
git push && \
|
|
||||||
cd .. && \
|
|
||||||
rm -rf nixos/ && \
|
|
||||||
sleep 7d # Run again in a week. Requires `restart: unless-stopped`
|
|
Loading…
Reference in a new issue