From 584bdaf10fcddc85393344f1556b4d207b63ceb6 Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Wed, 29 Nov 2023 01:20:43 +0100 Subject: [PATCH] replace gitlab-ci with dumb Containerfile --- .gitlab-ci.yml | 55 --------------------------------------- Containerfile | 21 +++++++++++++++ modules/server/system.nix | 2 +- 3 files changed, 22 insertions(+), 56 deletions(-) delete mode 100644 .gitlab-ci.yml create mode 100644 Containerfile diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 5de4e57..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,55 +0,0 @@ -# Automatic NixOS upgrades (modules/server/system.nix) requires updating -# flake.lock in the repository periodically. This repository is hosted on -# Gitea, which doesn't have good support for CI. Instead, the repository is -# mirrored to GitLab.com, where the following is configured to run on a -# schedule. The GitLab repository is then mirrored back to Gitea: -# -# ┌──────────┐ -# │ Schedule │ -# └────┬─────┘ -# Update -# flake.lock -# │ -# ┌─────────┐ Mirror ┌────▼─────┐ -# │ Gitea │◄────────►│ GitLab │ -# └─────────┘ └──────────┘ -# -# GitLab: -# Settings: -# Access Tokens: -# - "Push Token": read_repository,write_repository, Maintainer -# Repository: -# Mirroring repositories: -# - ssh://git@git.caspervk.net:2222/caspervk/nixos.git, SSH public key authentication -# CI/CD: -# Variables: -# ACCESS_TOKEN: , Protect, Mask -# Build: -# Pipeline schedules: -# - Update flake.nix -# 23 17 * * MON -# -# Gitea: -# Settings: -# Repository: -# Mirror Settings: -# - URL: -# Authorization: -# Username: oauth2 -# Password: -# Sync when commits are pushed: Yes -# Deploy Keys: -# - <"Copy SSH public key" from GitLab>Settings>Repository>Mirroring repositories> -# Enable Write Access: Yes - -workflow: - rules: - - if: '$CI_PIPELINE_SOURCE == "schedule"' - -Update flake.nix: - image: nixos/nix:latest - script: - - git config user.email "snowflake@caspervk.net" - - git config user.name "snowflake" - - nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file - - git push https://oauth2:$ACCESS_TOKEN@gitlab.com/$CI_PROJECT_PATH HEAD:$CI_COMMIT_BRANCH diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..1dd3b33 --- /dev/null +++ b/Containerfile @@ -0,0 +1,21 @@ +# Automatic NixOS upgrades (modules/server/system.nix) requires updating +# flake.lock in the repository periodically. This repository is hosted on +# Gitea, which doesn't have good support for CI. Instead, this Containerfile +# is run on a server. This requires a Gitea access token[1] with repository +# read/write permissions. Note that we must use an account-wide access token to +# be able to clone through HTTPS (and utilise certificates rather than blindly +# trusting SSH keys), as repository deploy keys can only be used through +# SSH. The token should be passed as the GIT_PASSWORD environment variable. +# [1] https://git.caspervk.net/user/settings/applications + +FROM nixos/nix:latest + +CMD git clone https://caspervk:$GIT_PASSWORD@git.caspervk.net/caspervk/nixos.git && \ + cd nixos/ && \ + git config user.email "snowflake@caspervk.net" && \ + git config user.name "snowflake" && \ + nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file && \ + git push && \ + cd .. && \ + rm -rf nixos/ && \ + sleep 7d # Run again in a week. Requires `restart: unless-stopped` diff --git a/modules/server/system.nix b/modules/server/system.nix index a6d3b32..2308b08 100644 --- a/modules/server/system.nix +++ b/modules/server/system.nix @@ -2,7 +2,7 @@ # Automatically `nixos-rebuild switch` daily with the latest configuration # from git. This overwrites any uncommitted changes in ~/nixos/, which is why # it is only enabled on servers. Note that this requires updating flake.lock - # in the repository periodically (see .gitlab-ci.yml). Alternatively, at the + # in the repository periodically (see Containerfile). Alternatively, at the # cost of reproducability, add # flags = [ "--recreate-lock-file" "--no-write-lock-file" ] # to ignore the repository flake.lock and use the latest input versions.