-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmodule.nix
165 lines (160 loc) · 5.45 KB
/
module.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# SPDX-FileCopyrightText: 2021 Serokell <https:#serokell.io>
#
# SPDX-License-Identifier: MPL-2.0
self:
{ pkgs, lib, config, ... }:
let
cfg = config.services.update-daemon;
repos = lib.concatLists [ (processGitLabRepos cfg.repos.gitlab) (processGitHubRepos cfg.repos.github) ];
processGitHubRepos = repos: lib.concatLists (lib.mapAttrsToList (owner: lib.mapAttrsToList (repo: settings: {
type = "github";
inherit owner repo;
} // (extractUrls settings))) repos);
processGitLabRepos = lib.mapAttrsToList (project: settings: {
type = "gitlab";
inherit project;
} // (extractUrls settings));
extractUrls = settings: { settings = builtins.removeAttrs settings [ "base_url" "ssh_url" ]; } //
(lib.optionalAttrs (settings ? base_url) {inherit (settings) base_url; } ) //
(lib.optionalAttrs (settings ? ssh_url) {inherit (settings) ssh_url; } );
in {
options.services.update-daemon = with lib;
with types; {
enable = mkEnableOption "A nix flake update daemon";
package = mkOption {
type = package;
description = "A package from which to take update-daemon";
default = self.packages.${pkgs.system}.update-daemon;
};
secretFile = mkOption {
type = path;
description = ''
A file containing secrets:
- GITHUB_TOKEN
You can also set additional secrets to use them in agentSetup.
'';
};
agentSetup = mkOption {
type = str;
description =
"Bash commands to set up the ssh agent to handle authentication to git upstreams";
default = "${pkgs.openssh}/bin/ssh-agent";
};
updateDates = mkOption {
type = str;
description =
"A systemd.time specification for when to run the updates";
default = "daily";
};
repos = {
github = mkOption {
type = attrsOf (attrsOf (attrs));
description = "Github Repositories to update";
default = { };
example = { serokell.update-daemon = { }; };
};
gitlab = mkOption {
type = attrsOf (attrs);
description = "Gitlab Repositories to update";
default = { };
};
};
extraRepos = mkOption {
type = listOf attrs;
description = "Other repositories to update";
default = [ ];
};
settings = {
author = {
name = mkOption {
type = str;
description = "Name to use in commits";
default = "Flake Update Bot";
};
email = mkOption {
type = str;
description = "Email to use in commits";
};
};
update_branch = mkOption {
type = str;
description = "The branch to push the updates to";
default = "automatic-update";
};
default_branch = mkOption {
type = str;
description =
"The branch to base the update on and submit the pull request for";
default = "master";
};
title = mkOption {
type = str;
description = "GitHub pull request title";
default = "Automatically update flake.lock to the latest version";
};
extra_body = mkOption {
type = lines;
description = "Extra lines to add to pull request body";
default = "";
};
cooldown = mkOption {
type = int;
description = "Cooldown duration between updating pull requests (in milliseconds)";
default = 100;
};
inputs = mkOption {
type = listOf str;
description = "List of input names to be updated, if empty, all inputs will be updated";
default = [];
example = [ "haskell-nix" ];
};
allow_missing_inputs = mkOption {
type = bool;
description = "If set to true, the update-daemon will not abort flake update if one of the names specified in the inputs option is not present in the flake.lock root node";
default = false;
};
sign_commits = mkOption {
type = bool;
description = "Whether to sign commits, the signing key must be available in gpg-agent under the root user";
default = false;
};
signing_key = mkOption {
type = nullOr str;
description = "Signing key ID or fingerprint, if not set, the default key will be used";
default = null;
};
};
};
config = lib.mkIf cfg.enable {
users.users.update-daemon = {
isSystemUser = true;
home = "/var/lib/update-daemon";
createHome = true;
group = "update-daemon";
};
users.groups.update-daemon = {};
systemd.services.update-daemon = {
description = "A daemon to update nix flakes";
serviceConfig = {
Type = "oneshot";
EnvironmentFile = cfg.secretFile;
User = "update-daemon";
};
path = [ cfg.package ];
script = ''
${cfg.agentSetup}
# Provide GITHUB_TOKEN to nix to avoid API rate limits
if [[ $GITHUB_TOKEN ]]; then
export NIX_CONFIG="extra-access-tokens = github.com=$GITHUB_TOKEN"
else
echo "GITHUB_TOKEN is not set, you may encounter GitHub API rate limits"
fi
update-daemon ${
builtins.toFile "config.json"
(builtins.toJSON (cfg.settings // { repos = repos ++ cfg.extraRepos; }))
}
'';
startAt = cfg.updateDates;
};
};
}