Replace Containerfile with Forgejo Actions

2024-03-29 22:55:01 +01:00 · 2024-03-29 22:55:01 +01:00 · c17fe259c8
parent b829d0ebea
commit c17fe259c8
2 changed files with 32 additions and 22 deletions
--- a/.gitea/workflows/update.yaml
+++ b/.gitea/workflows/update.yaml
@ -0,0 +1,32 @@
+name: Update flake.lock
+
+on:
+  push: # TODO
+  # https://forgejo.org/docs/latest/user/actions/#onschedule
+  schedule:
+    - cron: "23 17 * * 1"
+
+jobs:
+  update:
+    runs-on: docker
+    container:
+      image: docker.io/nixos/nix:2.21.0
+    steps:
+      - name: 
+        run: |
+          # Configure SSH
+          mkdir ~/.ssh/
+          echo "git.caspervk.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd" > ~/.ssh/known_hosts
+          echo "${{ secrets.SNOWFLAKE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          # Checkout repository
+          git clone git@git.caspervk.net:caspervk/nixos.git
+          cd nixos/
+
+          # Update flake.lock
+          git config user.email "snowflake@caspervk.net"
+          git config user.name "snowflake"
+          nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file
+          git push
+
--- a/22
+++ b/22
@ -1,22 +0,0 @@
-# Automatic NixOS upgrades (modules/server/system.nix) requires updating
-# flake.lock in the repository periodically. This repository is hosted on
-# Gitea, which doesn't have good support for CI. Instead, this Containerfile
-# is run on a server. This requires a Gitea access token[1] with repository
-# read/write permissions. Note that we must use an account-wide access token to
-# be able to clone through HTTPS (and utilise certificates rather than blindly
-# trusting SSH keys), as repository deploy keys can only be used through
-# SSH. The token should be passed as the GIT_PASSWORD environment variable.
-# [1] https://git.caspervk.net/user/settings/applications
-
-FROM nixos/nix:latest
-
-CMD git clone https://caspervk:$GIT_PASSWORD@git.caspervk.net/caspervk/nixos.git && \
-    cd nixos/ && \
-    git config user.email "snowflake@caspervk.net" && \
-    git config user.name "snowflake" && \
-    # store in /dev/shm tmpfs to avoid an ever-growing nix store in the container
-    nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file --store /dev/shm && \
-    git push && \
-    cd .. && \
-    rm -rf nixos/ && \
-    sleep 7d  # Run again in a week. Requires `restart: unless-stopped`