replace gitlab-ci with dumb Containerfile

.gitlab-ci.yml

@@ -1,55 +0,0 @@
-# Automatic NixOS upgrades (modules/server/system.nix) requires updating
-# flake.lock in the repository periodically. This repository is hosted on
-# Gitea, which doesn't have good support for CI. Instead, the repository is
-# mirrored to GitLab.com, where the following is configured to run on a
-# schedule. The GitLab repository is then mirrored back to Gitea:
-#
-#                      ┌──────────┐
-#                      │ Schedule │
-#                      └────┬─────┘
-#                         Update
-#                       flake.lock
-#                           │
-# ┌─────────┐  Mirror  ┌────▼─────┐
-# │  Gitea  │◄────────►│  GitLab  │
-# └─────────┘          └──────────┘
-#
-# GitLab:
-#   Settings:
-#     Access Tokens:
-#       - "Push Token": read_repository,write_repository, Maintainer
-#     Repository:
-#       Mirroring repositories:
-#          - ssh://git@git.caspervk.net:2222/caspervk/nixos.git, SSH public key authentication
-#     CI/CD:
-#       Variables:
-#         ACCESS_TOKEN: <Push Token>, Protect, Mask
-#   Build:
-#     Pipeline schedules:
-#       - Update flake.nix
-#         23 17 * * MON
-#
-# Gitea:
-#   Settings:
-#     Repository:
-#       Mirror Settings:
-#         - URL: <GitLab repo HTTP URL>
-#           Authorization:
-#             Username: oauth2
-#             Password: <Push Token>
-#             Sync when commits are pushed: Yes
-#     Deploy Keys:
-#       - <"Copy SSH public key" from GitLab>Settings>Repository>Mirroring repositories>
-#         Enable Write Access: Yes
-
-workflow:
-  rules:
-    - if: '$CI_PIPELINE_SOURCE == "schedule"'
-
-Update flake.nix:
-  image: nixos/nix:latest
-  script:
-    - git config user.email "snowflake@caspervk.net"
-    - git config user.name "snowflake"
-    - nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file
-    - git push https://oauth2:$ACCESS_TOKEN@gitlab.com/$CI_PROJECT_PATH HEAD:$CI_COMMIT_BRANCH

Containerfile

@@ -0,0 +1,21 @@
+# Automatic NixOS upgrades (modules/server/system.nix) requires updating
+# flake.lock in the repository periodically. This repository is hosted on
+# Gitea, which doesn't have good support for CI. Instead, this Containerfile
+# is run on a server. This requires a Gitea access token[1] with repository
+# read/write permissions. Note that we must use an account-wide access token to
+# be able to clone through HTTPS (and utilise certificates rather than blindly
+# trusting SSH keys), as repository deploy keys can only be used through
+# SSH. The token should be passed as the GIT_PASSWORD environment variable.
+# [1] https://git.caspervk.net/user/settings/applications
+
+FROM nixos/nix:latest
+
+CMD git clone https://caspervk:$GIT_PASSWORD@git.caspervk.net/caspervk/nixos.git && \
+    cd nixos/ && \
+    git config user.email "snowflake@caspervk.net" && \
+    git config user.name "snowflake" && \
+    nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file && \
+    git push && \
+    cd .. && \
+    rm -rf nixos/ && \
+    sleep 7d  # Run again in a week. Requires `restart: unless-stopped`

modules/server/system.nix

@@ -2,7 +2,7 @@
   # Automatically `nixos-rebuild switch` daily with the latest configuration
   # from git. This overwrites any uncommitted changes in ~/nixos/, which is why
   # it is only enabled on servers. Note that this requires updating flake.lock
-  # in the repository periodically (see .gitlab-ci.yml). Alternatively, at the
+  # in the repository periodically (see Containerfile). Alternatively, at the
   # cost of reproducability, add
   # flags = [ "--recreate-lock-file" "--no-write-lock-file" ]
   # to ignore the repository flake.lock and use the latest input versions.