infra/build02/nixpkgs-update.nix

{ pkgs, lib, config, ... }:
let
  userLib = import ../users/lib.nix { inherit lib; };

  sources = import ../nix/sources.nix;
  nixpkgs-update = import sources.nixpkgs-update { };

  nixpkgs-update-bin = "${nixpkgs-update}/bin/nixpkgs-update";

  nixpkgsUpdateSystemDependencies = with pkgs; [
    nix # for nix-shell used by python packges to update fetchers
    git # used by update-scripts
    gnugrep
    gnused
    curl
  ];

  nixpkgs-update-github-releases = "${sources.nixpkgs-update-github-releases}/main.py";
  nixpkgs-update-pypi-releases = "${sources.nixpkgs-update-pypi-releases}/main.py";

  mkNixpkgsUpdateService = name: {
    description = "nixpkgs-update ${name} service";
    enable = true;
    startAt = "daily";
    restartIfChanged = false;
    path = nixpkgsUpdateSystemDependencies;
    environment.XDG_CONFIG_HOME = "/var/lib/nixpkgs-update/${name}";
    environment.XDG_CACHE_HOME = "/var/cache/nixpkgs-update/${name}";
    environment.XDG_RUNTIME_DIR = "/run/nixpkgs-update/${name}"; # for nix-update update scripts
    # API_TOKEN is used by nixpkgs-update-github-releases
    environment.API_TOKEN_FILE = "/var/lib/nixpkgs-update/github_token_with_username.txt";
    # Used by nixpkgs-update-github-releases to install python dependencies
    # Used by nixpkgs-update-pypi-releases
    environment.NIX_PATH = "nixpkgs=/var/cache/nixpkgs-update/${name}/nixpkgs";

    serviceConfig = {
      Type = "simple";
      User = "r-ryantm";
      Group = "r-ryantm";
      WorkingDirectory = "/var/lib/nixpkgs-update/${name}";
      StateDirectory = "nixpkgs-update/${name}";
      StateDirectoryMode = "700";
      CacheDirectory = "nixpkgs-update/${name}";
      CacheDirectoryMode = "700";
      LogsDirectory = "nixpkgs-update/${name}";
      LogsDirectoryMode = "755";
      RuntimeDirectory = "nixpkgs-update/${name}";
      RuntimeDirectoryMode = "700";
      StandardOutput = "journal";
    };
  };

  nixpkgs-update-command = "${nixpkgs-update-bin} update-list --pr --outpaths --nixpkgs-review";

in
{
  sops.secrets.github-r-ryantm-key = {
    path = "/home/r-ryantm/.ssh/id_rsa";
    owner = "r-ryantm";
    group = "r-ryantm";
  };

  sops.secrets.github-r-ryantm-token = {
    path = "/var/lib/nixpkgs-update/github_token.txt";
    owner = "r-ryantm";
    group = "r-ryantm";
  };

  sops.secrets.github-token-with-username = {
    path = "/var/lib/nixpkgs-update/github_token_with_username.txt";
    owner = "r-ryantm";
    group = "r-ryantm";
  };

  sops.secrets.cachix-dhall = {
    path = "/var/lib/nixpkgs-update/cachix/cachix.dhall";
    owner = "r-ryantm";
    group = "r-ryantm";
  };

  users.groups.r-ryantm = { };
  users.users.r-ryantm = {
    useDefaultShell = true;
    isNormalUser = true; # The hub cli seems to really want stuff to be set up like a normal user
    uid = userLib.mkUid "rrtm";
    extraGroups = [ "r-ryantm" ];
  };

  systemd.services.nixpkgs-update-repology = mkNixpkgsUpdateService "repology" // {
    script = ''
      ${nixpkgs-update-bin} delete-done --delete
      ${nixpkgs-update-bin} fetch-repology > /var/lib/nixpkgs-update/repology/packages-to-update-regular.txt
      # reverse list
      sed '1!G;h;$!d' /var/lib/nixpkgs-update/repology/packages-to-update-regular.txt > /var/lib/nixpkgs-update/repology/packages-to-update.txt
      ${nixpkgs-update-command}
    '';
  };

  systemd.services.nixpkgs-update-github = mkNixpkgsUpdateService "github" // {
    script = ''
      ${nixpkgs-update-bin} delete-done --delete
      ${nixpkgs-update-github-releases} > /var/lib/nixpkgs-update/github/packages-to-update.txt
      ${nixpkgs-update-command}
    '';
  };

  systemd.services.nixpkgs-update-pypi = mkNixpkgsUpdateService "pypi" // {
    script = ''
      ${nixpkgs-update-bin} delete-done --delete
      grep -rl $XDG_CACHE_HOME/nixpkgs -e buildPython | grep default | \
        ${nixpkgs-update-pypi-releases} --nixpkgs=/var/cache/nixpkgs-update/pypi/nixpkgs > /var/lib/nixpkgs-update/pypi/packages-to-update.txt
      ${nixpkgs-update-command}
    '';
  };

  systemd.services.nixpkgs-update-updatescript = mkNixpkgsUpdateService "updatescript" // {
    script = ''
      ${pkgs.nixUnstable}/bin/nix eval --raw -f ${./packages-with-update-script.nix} > /var/lib/nixpkgs-update/updatescript/packages-to-update.txt
      ${nixpkgs-update-bin} update-list --pr --outpaths --nixpkgs-review --attrpath
      ${nixpkgs-update-bin} delete-done --delete
    '';
  };

  systemd.tmpfiles.rules = [
    "e /var/cache/nixpkgs-update/repology/nixpkgs-review - - - 1d -"
    "e /var/cache/nixpkgs-update/github/nixpkgs-review - - - 1d -"
    "e /var/cache/nixpkgs-update/pypi/nixpkgs-review - - - 1d -"
    "e /var/cache/nixpkgs-update/updatescript/nixpkgs-review - - - 1d -"
  ];

  services.nginx.virtualHosts."r.ryantm.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/log/" = {
      alias = "/var/log/nixpkgs-update/";
      extraConfig = ''
        charset utf-8;
        autoindex on;
      '';
    };
  };

}
build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00			`{ pkgs, lib, config, ... }:`
			`let`
			`userLib = import ../users/lib.nix { inherit lib; };`

			`sources = import ../nix/sources.nix;`
let nixpkgs-updater use the nix-community cache 2020-08-07 19:59:15 +02:00			`nixpkgs-update = import sources.nixpkgs-update { };`
nixpkgs-update: Disable post build hook with a patch We want to avoid pushing to multiple cachix caches and r-ryantm has it's own already. 2020-04-17 17:34:57 +01:00
update nixpkgs-update * fail update if updateScript fails 2020-08-01 09:54:23 -07:00			`nixpkgs-update-bin = "${nixpkgs-update}/bin/nixpkgs-update";`

build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00			`nixpkgsUpdateSystemDependencies = with pkgs; [`
fix nixpkgs-update script dependencies * the python package to update fetchers still need nix-shell 2020-07-21 06:28:51 -07:00			`nix # for nix-shell used by python packges to update fetchers`
nixpkgs-update: add git as dependency for update scripts eventually, it should be possible to pass git through to the updatescripts directly within the nixpkgs-update binary, but this is quicker for now. 2020-10-11 07:21:54 -07:00			`git # used by update-scripts`
Add nixpkgs-update-pypi-release 2020-03-29 23:59:38 -07:00			`gnugrep`
reverse alphabetical order of repology updater 2021-08-21 10:25:47 -07:00			`gnused`
nixpkgs-update: add curl dependency 2020-02-05 20:33:57 -08:00			`curl`
update nixpkgs-update * fail update if updateScript fails 2020-08-01 09:54:23 -07:00			`];`
build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00
[nixpkgs-update] add github source 2020-01-25 15:05:09 -08:00			`nixpkgs-update-github-releases = "${sources.nixpkgs-update-github-releases}/main.py";`
Add nixpkgs-update-pypi-release 2020-03-29 23:59:38 -07:00			`nixpkgs-update-pypi-releases = "${sources.nixpkgs-update-pypi-releases}/main.py";`
[nixpkgs-update] add github source 2020-01-25 15:05:09 -08:00
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`mkNixpkgsUpdateService = name: {`
			`description = "nixpkgs-update ${name} service";`
update nixpkgs-update - fix delete-done 2020-06-13 20:23:50 -07:00			`enable = true;`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`startAt = "daily";`
fix new nixpkgs-update github source it is now working! 2020-01-25 18:33:04 -08:00			`restartIfChanged = false;`
build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00			`path = nixpkgsUpdateSystemDependencies;`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`environment.XDG_CONFIG_HOME = "/var/lib/nixpkgs-update/${name}";`
			`environment.XDG_CACHE_HOME = "/var/cache/nixpkgs-update/${name}";`
			`environment.XDG_RUNTIME_DIR = "/run/nixpkgs-update/${name}"; # for nix-update update scripts`
[nixpkgs-update] add github source 2020-01-25 15:05:09 -08:00			`# API_TOKEN is used by nixpkgs-update-github-releases`
use token file with nixpkgs-update-github-releases 2020-01-25 15:15:27 -08:00			`environment.API_TOKEN_FILE = "/var/lib/nixpkgs-update/github_token_with_username.txt";`
fix new nixpkgs-update github source it is now working! 2020-01-25 18:33:04 -08:00			`# Used by nixpkgs-update-github-releases to install python dependencies`
nixpkgs-update: use XDG_CACHE_HOME for NIX_PATH 2020-05-03 09:00:11 -07:00			`# Used by nixpkgs-update-pypi-releases`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`environment.NIX_PATH = "nixpkgs=/var/cache/nixpkgs-update/${name}/nixpkgs";`
build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00
format with nixpkgs-fmt 2021-01-03 00:07:49 +01:00			`serviceConfig = {`
nixpkgs-update: try using simple service type oneshot doesn't work well because the service is long running and running `systemd start nixpkgs-update` has to be manually placed into the background by the caller 2020-10-11 10:07:31 -07:00			`Type = "simple";`
			`User = "r-ryantm";`
			`Group = "r-ryantm";`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`WorkingDirectory = "/var/lib/nixpkgs-update/${name}";`
			`StateDirectory = "nixpkgs-update/${name}";`
nixpkgs-update: try using simple service type oneshot doesn't work well because the service is long running and running `systemd start nixpkgs-update` has to be manually placed into the background by the caller 2020-10-11 10:07:31 -07:00			`StateDirectoryMode = "700";`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`CacheDirectory = "nixpkgs-update/${name}";`
nixpkgs-update: try using simple service type oneshot doesn't work well because the service is long running and running `systemd start nixpkgs-update` has to be manually placed into the background by the caller 2020-10-11 10:07:31 -07:00			`CacheDirectoryMode = "700";`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`LogsDirectory = "nixpkgs-update/${name}";`
nixpkgs-update: try using simple service type oneshot doesn't work well because the service is long running and running `systemd start nixpkgs-update` has to be manually placed into the background by the caller 2020-10-11 10:07:31 -07:00			`LogsDirectoryMode = "755";`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`RuntimeDirectory = "nixpkgs-update/${name}";`
nixpkgs-update: fix runtime directory settings thanks worldofpeace 2020-10-24 14:00:47 -07:00			`RuntimeDirectoryMode = "700";`
nixpkgs-update: try using simple service type oneshot doesn't work well because the service is long running and running `systemd start nixpkgs-update` has to be manually placed into the background by the caller 2020-10-11 10:07:31 -07:00			`StandardOutput = "journal";`
			`};`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`};`

nixpkgs-update: add new source, derivations with updateScripts 2021-08-27 13:17:06 -07:00			`nixpkgs-update-command = "${nixpkgs-update-bin} update-list --pr --outpaths --nixpkgs-review";`

build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`in`
			`{`
migrate to sops-nix 2021-09-25 22:35:51 +02:00			`sops.secrets.github-r-ryantm-key = {`
			`path = "/home/r-ryantm/.ssh/id_rsa";`
			`owner = "r-ryantm";`
			`group = "r-ryantm";`
			`};`

			`sops.secrets.github-r-ryantm-token = {`
			`path = "/var/lib/nixpkgs-update/github_token.txt";`
			`owner = "r-ryantm";`
			`group = "r-ryantm";`
			`};`

			`sops.secrets.github-token-with-username = {`
			`path = "/var/lib/nixpkgs-update/github_token_with_username.txt";`
			`owner = "r-ryantm";`
			`group = "r-ryantm";`
			`};`

			`sops.secrets.cachix-dhall = {`
			`path = "/var/lib/nixpkgs-update/cachix/cachix.dhall";`
			`owner = "r-ryantm";`
			`group = "r-ryantm";`
			`};`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00
			`users.groups.r-ryantm = { };`
			`users.users.r-ryantm = {`
			`useDefaultShell = true;`
			`isNormalUser = true; # The hub cli seems to really want stuff to be set up like a normal user`
			`uid = userLib.mkUid "rrtm";`
			`extraGroups = [ "r-ryantm" ];`
			`};`

			`systemd.services.nixpkgs-update-repology = mkNixpkgsUpdateService "repology" // {`
nixpkgs-update: try using simple service type oneshot doesn't work well because the service is long running and running `systemd start nixpkgs-update` has to be manually placed into the background by the caller 2020-10-11 10:07:31 -07:00			`script = ''`
update nixpkgs-update * fail update if updateScript fails 2020-08-01 09:54:23 -07:00			`${nixpkgs-update-bin} delete-done --delete`
reverse alphabetical order of repology updater 2021-08-21 10:25:47 -07:00			`${nixpkgs-update-bin} fetch-repology > /var/lib/nixpkgs-update/repology/packages-to-update-regular.txt`
			`# reverse list`
			`sed '1!G;h;$!d' /var/lib/nixpkgs-update/repology/packages-to-update-regular.txt > /var/lib/nixpkgs-update/repology/packages-to-update.txt`
nixpkgs-update: add new source, derivations with updateScripts 2021-08-27 13:17:06 -07:00			`${nixpkgs-update-command}`
[nixpkgs-update] automatically run (#8) 2020-01-21 01:55:01 -08:00			`'';`
build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00			`};`

build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`systemd.services.nixpkgs-update-github = mkNixpkgsUpdateService "github" // {`
			`script = ''`
			`${nixpkgs-update-bin} delete-done --delete`
			`${nixpkgs-update-github-releases} > /var/lib/nixpkgs-update/github/packages-to-update.txt`
nixpkgs-update: add new source, derivations with updateScripts 2021-08-27 13:17:06 -07:00			`${nixpkgs-update-command}`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`'';`
			`};`

			`systemd.services.nixpkgs-update-pypi = mkNixpkgsUpdateService "pypi" // {`
			`script = ''`
			`${nixpkgs-update-bin} delete-done --delete`
			`grep -rl $XDG_CACHE_HOME/nixpkgs -e buildPython \| grep default \| \`
			`${nixpkgs-update-pypi-releases} --nixpkgs=/var/cache/nixpkgs-update/pypi/nixpkgs > /var/lib/nixpkgs-update/pypi/packages-to-update.txt`
nixpkgs-update: add new source, derivations with updateScripts 2021-08-27 13:17:06 -07:00			`${nixpkgs-update-command}`
			`'';`
			`};`

			`systemd.services.nixpkgs-update-updatescript = mkNixpkgsUpdateService "updatescript" // {`
			`script = ''`
			`${pkgs.nixUnstable}/bin/nix eval --raw -f ${./packages-with-update-script.nix} > /var/lib/nixpkgs-update/updatescript/packages-to-update.txt`
			`${nixpkgs-update-bin} update-list --pr --outpaths --nixpkgs-review --attrpath`
			`${nixpkgs-update-bin} delete-done --delete`
build02: split nixpkgs-update into three parallel services by source * repology * github * pypi 2021-08-12 21:43:34 -07:00			`'';`
build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00			`};`

nixpkgs-update: cleanup nixpkgs-review files 2021-09-22 21:21:09 -07:00			`systemd.tmpfiles.rules = [`
			`"e /var/cache/nixpkgs-update/repology/nixpkgs-review - - - 1d -"`
			`"e /var/cache/nixpkgs-update/github/nixpkgs-review - - - 1d -"`
			`"e /var/cache/nixpkgs-update/pypi/nixpkgs-review - - - 1d -"`
			`"e /var/cache/nixpkgs-update/updatescript/nixpkgs-review - - - 1d -"`
			`];`

nixpkgs-update: serve logs 2020-03-21 19:05:01 -07:00			`services.nginx.virtualHosts."r.ryantm.com" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/log/" = {`
			`alias = "/var/log/nixpkgs-update/";`
nixpkgs-update logs, set charset 2020-07-03 20:26:52 -07:00			`extraConfig = ''`
			`charset utf-8;`
			`autoindex on;`
			`'';`
nixpkgs-update: serve logs 2020-03-21 19:05:01 -07:00			`};`
			`};`

build01: add initial nixpkgs-update configuration (#6) * build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config 2020-01-15 00:15:23 -08:00			`}`
No results found.