build01: add initial nixpkgs-update configuration (#6)

* build01: add initial nixpkgs-update configuration * use niv for nixpkgs-update * nixpkgs-update: now it works! Having to make r-ryantm a normal user is lame, but `hub` needs a regular home directory to work. Eventually I should move away from using hub. The XDG_CONFIG env variables are because nixpkgs-update doesn't detec the systemd XDG-like env variables yet. * nixpkgs-update: add r-ryantm as trusted user and logging config * nixpkgs-update: add cachix * nixpkgs-update: update with niv * nixpkgs-update: fixup cachix config
2020-01-15 00:15:23 -08:00 · 2020-01-15 00:15:23 -08:00 · 612b75f0a3
commit 612b75f0a3
parent 5b309342cc
5 changed files with 113 additions and 0 deletions
--- a/build01/configuration.nix
+++ b/build01/configuration.nix
@ -10,6 +10,7 @@ in {
    ./buildkite.nix
    ./gitlab.nix
    ./hydra.nix
+    ./nixpkgs-update.nix

    ../profiles/common.nix
    ../profiles/docker.nix
--- a/build01/nixpkgs-update.nix
+++ b/build01/nixpkgs-update.nix
@ -0,0 +1,76 @@
+{ pkgs, lib, config, ... }:
+
+let
+  userLib = import ../users/lib.nix { inherit lib; };
+
+  sources = import ../nix/sources.nix;
+  nixpkgs-update = import sources.nixpkgs-update { returnShellEnv = false; };
+  nixpkgsUpdateSystemDependencies = with pkgs; [
+    nix
+    git
+    getent
+    gitAndTools.hub
+    jq
+    tree
+    gist
+    cachix
+  ];
+
+  nixpkgsUpdateServiceConfigCommon = {
+    Type = "oneshot";
+    User = "r-ryantm";
+    Group = "r-ryantm";
+    WorkingDirectory = "/var/lib/nixpkgs-update";
+    StateDirectory = "nixpkgs-update";
+    StateDirectoryMode = "700";
+    RuntimeDirectory = "nixpkgs-update";
+    RuntimeDirectoryMode = "700";
+    CacheDirectory = "nixpkgs-update";
+    CacheDirectoryMode = "700";
+    StandardOutput="journal";
+  };
+in {
+  users.users.r-ryantm.packages = [ pkgs.cachix ];
+  users.groups.r-ryantm = { };
+  users.users.r-ryantm = {
+    useDefaultShell = true;
+    isNormalUser = true; # The hub cli seems to really want stuff to be set up like a normal user
+    uid = userLib.mkUid "rrtm";
+    extraGroups = [ "r-ryantm" ];
+  };
+  nix.trustedUsers = [
+    "r-ryantm"
+  ];
+
+
+  systemd.services.nixpkgs-update = {
+    description = "nixpkgs-update service";
+    enable = true;
+    path = nixpkgsUpdateSystemDependencies;
+    environment.XDG_CONFIG_HOME = "/var/lib/nixpkgs-update";
+    environment.XDG_RUNTIME_DIR = "/run/nixpkgs-update";
+    environment.XDG_CACHE_HOME = "/var/cache/nixpkgs-update";
+
+    serviceConfig = nixpkgsUpdateServiceConfigCommon;
+    script = "${nixpkgs-update}/bin/nixpkgs-update update";
+  };
+
+  systemd.services.nixpkgs-update-delete-done = {
+    description = "nixpkgs-update delete done branches";
+    enable = true;
+    path = nixpkgsUpdateSystemDependencies;
+    environment.XDG_CONFIG_HOME = "/var/lib/nixpkgs-update";
+    environment.XDG_RUNTIME_DIR = "/run/nixpkgs-update";
+    environment.XDG_CACHE_HOME = "/var/cache/nixpkgs-update";
+
+    serviceConfig = nixpkgsUpdateServiceConfigCommon;
+    script = "${nixpkgs-update}/bin/nixpkgs-update delete-done";
+  };
+
+  systemd.timers.nixpkgs-update-delete-done = {
+    description = "nixpkgs-update delete done branches";
+    enable = true;
+    timerConfig = { OnCalendar = "daily"; };
+  };
+
+}
--- a/deployment.nix
+++ b/deployment.nix
@ -39,6 +39,30 @@ in {
        permissions = "0600";
      };

+      deployment.keys."id_rsa" = {
+        text = secrets.github-r-ryantm-key;
+        destDir = "/home/r-ryantm/.ssh";
+        user = "r-ryantm";
+        group = "r-ryantm";
+        permissions = "0600";
+      };
+
+      deployment.keys."github_token.txt" = {
+        text = secrets.github-r-ryantm-token;
+        destDir = "/var/lib/nixpkgs-update";
+        user = "r-ryantm";
+        group = "r-ryantm";
+        permissions = "0600";
+      };
+
+      deployment.keys."cachix.dhall" = {
+        text = secrets."cachix.dhall";
+        destDir = "/var/lib/nixpkgs-update/cachix";
+        user = "r-ryantm";
+        group = "r-ryantm";
+        permissions = "0600";
+      };
+
    };

 }
--- a/nix/sources.json
+++ b/nix/sources.json
@ -11,6 +11,18 @@
        "url": "https://github.com/NixOS/nixpkgs-channels/archive/aa561c6fb4f48974639a9e2b76fdd3e15b2abfd4.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
+    "nixpkgs-update": {
+        "branch": "master",
+        "description": "Semi-automatically updating nixpkgs packages since 2018",
+        "homepage": "",
+        "owner": "ryantm",
+        "repo": "nixpkgs-update",
+        "rev": "3f559eb4c24aab547447c248d32ee791fe937cf0",
+        "sha256": "1xyaja08cv57gbnzyal9iryb0dc4yg986hdm6yy9mg5fajgh7gr9",
+        "type": "tarball",
+        "url": "https://github.com/ryantm/nixpkgs-update/archive/3f559eb4c24aab547447c248d32ee791fe937cf0.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
    "simple-hydra": {
        "branch": "master",
        "description": "A simple module for enabling Hydra",
--- a/secrets/cachix.dhall
+++ b/secrets/cachix.dhall