# Automatic NixOS upgrades (modules/server/system.nix) requires updating
# flake.lock in the repository periodically. This repository is hosted on
# Gitea, which doesn't have good support for CI. Instead, the repository is
# mirrored to GitLab.com, where the following is configured to run on a
# schedule. The GitLab repository is then mirrored back to Gitea:
#
#                      ┌──────────┐
#                      │ Schedule │
#                      └────┬─────┘
#                         Update
#                       flake.lock
#                           │
# ┌─────────┐  Mirror  ┌────▼─────┐
# │  Gitea  │◄────────►│  GitLab  │
# └─────────┘          └──────────┘
#
# GitLab:
#   Settings:
#     Access Tokens:
#       - "Push Token": read_repository,write_repository, Maintainer
#     Repository:
#       Mirroring repositories:
#          - ssh://git@git.caspervk.net:2222/caspervk/nixos.git, SSH public key authentication
#     CI/CD:
#       Variables:
#         ACCESS_TOKEN: <Push Token>, Protect, Mask
#   Build:
#     Pipeline schedules:
#       - Update flake.nix
#         23 17 * * MON
#
# Gitea:
#   Settings:
#     Repository:
#       Mirror Settings:
#         - URL: <GitLab repo HTTP URL>
#           Authorization:
#             Username: oauth2
#             Password: <Push Token>
#             Sync when commits are pushed: Yes
#     Deploy Keys:
#       - <"Copy SSH public key" from GitLab>Settings>Repository>Mirroring repositories>
#         Enable Write Access: Yes

workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'

Update flake.nix:
  image: nixos/nix:latest
  script:
    - git config user.email "snowflake@caspervk.net"
    - git config user.name "snowflake"
    - nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file
    - git push https://oauth2:$ACCESS_TOKEN@gitlab.com/$CI_PROJECT_PATH HEAD:$CI_COMMIT_BRANCH