Compare commits
2 commits
57040d5a76
...
9299efcd96
Author | SHA1 | Date | |
---|---|---|---|
9299efcd96 | |||
b829d0ebea |
5 changed files with 84 additions and 29 deletions
36
.gitea/workflows/update.yaml
Normal file
36
.gitea/workflows/update.yaml
Normal file
|
@ -0,0 +1,36 @@
|
|||
name: Update flake.lock
|
||||
|
||||
# PREREQUISITES:
|
||||
# - Generate ssh key: `ssh-keygen -t ed25519 -f snowflake`.
|
||||
# - Add private key to https://git.caspervk.net/caspervk/nixos/settings/actions/secrets as SNOWFLAKE_SSH_PRIVATE_KEY.
|
||||
# - Add public key to https://git.caspervk.net/caspervk/nixos/settings/keys with WRITE access.
|
||||
# - Add public key to https://git.caspervk.net/caspervk/nixos-secrets/settings/keys with READ access.
|
||||
|
||||
on:
|
||||
# https://forgejo.org/docs/latest/user/actions/#onschedule
|
||||
schedule:
|
||||
- cron: "23 17 * * 1"
|
||||
|
||||
jobs:
|
||||
update:
|
||||
runs-on: debian-latest
|
||||
container:
|
||||
image: docker.io/nixos/nix:2.21.0
|
||||
steps:
|
||||
- run: |
|
||||
# Configure SSH
|
||||
mkdir ~/.ssh/
|
||||
echo "git.caspervk.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd" > ~/.ssh/known_hosts
|
||||
echo "${{ secrets.SNOWFLAKE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
|
||||
chmod 0600 ~/.ssh/id_ed25519
|
||||
|
||||
# Checkout repository
|
||||
git clone git@git.caspervk.net:caspervk/nixos.git
|
||||
cd nixos/
|
||||
|
||||
# Update flake.lock
|
||||
git config user.email "snowflake@caspervk.net"
|
||||
git config user.name "snowflake"
|
||||
nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file
|
||||
git push
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
# Automatic NixOS upgrades (modules/server/system.nix) requires updating
|
||||
# flake.lock in the repository periodically. This repository is hosted on
|
||||
# Gitea, which doesn't have good support for CI. Instead, this Containerfile
|
||||
# is run on a server. This requires a Gitea access token[1] with repository
|
||||
# read/write permissions. Note that we must use an account-wide access token to
|
||||
# be able to clone through HTTPS (and utilise certificates rather than blindly
|
||||
# trusting SSH keys), as repository deploy keys can only be used through
|
||||
# SSH. The token should be passed as the GIT_PASSWORD environment variable.
|
||||
# [1] https://git.caspervk.net/user/settings/applications
|
||||
|
||||
FROM nixos/nix:latest
|
||||
|
||||
CMD git clone https://caspervk:$GIT_PASSWORD@git.caspervk.net/caspervk/nixos.git && \
|
||||
cd nixos/ && \
|
||||
git config user.email "snowflake@caspervk.net" && \
|
||||
git config user.name "snowflake" && \
|
||||
# store in /dev/shm tmpfs to avoid an ever-growing nix store in the container
|
||||
nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file --store /dev/shm && \
|
||||
git push && \
|
||||
cd .. && \
|
||||
rm -rf nixos/ && \
|
||||
sleep 7d # Run again in a week. Requires `restart: unless-stopped`
|
14
flake.lock
14
flake.lock
|
@ -120,11 +120,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1711460390,
|
||||
"narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
|
||||
"lastModified": 1711668574,
|
||||
"narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
|
||||
"rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -165,11 +165,11 @@
|
|||
},
|
||||
"secrets": {
|
||||
"locked": {
|
||||
"lastModified": 1711743434,
|
||||
"narHash": "sha256-fqeuUwSNBeWL4pSDsqIehH6Mgl3J8ZmEGPhmdD1gufo=",
|
||||
"lastModified": 1711747594,
|
||||
"narHash": "sha256-k8Ew/EDpcLJKs285SqEldFbiKSf9rsHz/g0btv8zFM8=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "c79b0434590226446576f6b19d474cb9e41dc6b2",
|
||||
"revCount": 6,
|
||||
"rev": "110dae44d26b6d973922b804213446d1c0165486",
|
||||
"revCount": 7,
|
||||
"type": "git",
|
||||
"url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
|
||||
},
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
../../modules/server
|
||||
./hardware.nix
|
||||
#./borg.nix
|
||||
./gitea.nix
|
||||
./network.nix
|
||||
];
|
||||
|
||||
|
|
40
hosts/sigma/gitea.nix
Normal file
40
hosts/sigma/gitea.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
secrets,
|
||||
...
|
||||
}: {
|
||||
# https://forgejo.org/docs/latest/admin/actions/
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.gitea-actions-runner; # TODO: forgejo
|
||||
instances."default" = {
|
||||
enable = true;
|
||||
name = "default";
|
||||
url = "https://git.caspervk.net";
|
||||
# From https://git.caspervk.net/admin/actions/runners/
|
||||
tokenFile = config.age.secrets.gitea-actions-runner-token-file.path;
|
||||
# The Forgejo runner relies on application containers (Docker, Podman,
|
||||
# etc) to execute a workflow in an isolated environment. Labels are used
|
||||
# to map jobs' `runs-on` to their runtime environment. Note that changing
|
||||
# these labels requires a new registration token.
|
||||
labels = [
|
||||
"nixos-latest:docker://nixos/nix:2.21.0"
|
||||
];
|
||||
# https://forgejo.org/docs/latest/admin/actions/#configuration
|
||||
settings = {
|
||||
runner = {
|
||||
# Default fetch interval is 2s -- no need to spam the server
|
||||
fetch_interval = "1m";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
age.secrets.gitea-actions-runner-token-file = {
|
||||
file = "${secrets}/secrets/gitea-actions-runner-token-file.age";
|
||||
mode = "400";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in a new issue