diff --git a/flake.lock b/flake.lock
index cf1d6de..2705eb3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -60,17 +60,17 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1671149032,
- "narHash": "sha256-BP8mspP2oJqIm9zHj1EHSolkOWg9+jqIm2R/fUWQq28=",
+ "lastModified": 1671755972,
+ "narHash": "sha256-X977apvpqBqqRf2XBNorfunZmQNn3cQYGEnQE4L90Fo=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "34274e6c8604be2d103606b11dae0ac2e3a0d584",
+ "rev": "e8ee153b1717dca9c6aa38d5cf198329480d5b41",
"type": "github"
},
"original": {
"owner": "NixOS",
+ "ref": "nixos-unstable-small",
"repo": "nixpkgs",
- "rev": "34274e6c8604be2d103606b11dae0ac2e3a0d584",
"type": "github"
}
},
@@ -173,6 +173,26 @@
"type": "github"
}
},
+ "nur-update": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1670690859,
+ "narHash": "sha256-QHEHBp2D0b/9goFDhR07VLnUkqlU3Ie8lKglG67zpR4=",
+ "owner": "nix-community",
+ "repo": "nur-update",
+ "rev": "5e86794950e8061b6e19040f96cc2620c29e922e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "repo": "nur-update",
+ "type": "github"
+ }
+ },
"root": {
"inputs": {
"flake-parts": "flake-parts",
@@ -180,6 +200,7 @@
"nixpkgs-update": "nixpkgs-update",
"nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
"nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
+ "nur-update": "nur-update",
"sops-nix": "sops-nix",
"srvos": "srvos"
}
diff --git a/flake.nix b/flake.nix
index 126d6d4..a237ed5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,9 @@
nixpkgs-update-github-releases.flake = false;
nixpkgs-update-pypi-releases.url = "github:ryantm/nixpkgs-update-pypi-releases";
nixpkgs-update-pypi-releases.flake = false;
+
+ nur-update.url = "github:nix-community/nur-update";
+ nur-update.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs @ {flake-parts, ...}:
@@ -84,6 +87,9 @@
modules =
common
++ [
+ (import ./services/nur-update {
+ inherit (inputs) nur-update;
+ })
./build03/configuration.nix
];
};
diff --git a/services/nur-update/default.nix b/services/nur-update/default.nix
new file mode 100644
index 0000000..86c9424
--- /dev/null
+++ b/services/nur-update/default.nix
@@ -0,0 +1,31 @@
+{ nur-update }: { config, lib, pkgs, ... }:
+
+{
+ services.nginx.virtualHosts."nur-update.nix-community.org" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://unix:/run/nur-update/gunicorn.sock";
+ };
+
+ sops.secrets.nur-update-github-token = { };
+
+ systemd.services.nur-update = {
+ description = "nur-update service";
+ script = ''
+ GITHUB_TOKEN="$(<$CREDENTIALS_DIRECTORY/github-token)" \
+ ${lib.getExe pkgs.python3.pkgs.gunicorn} nur_update:app \
+ --bind unix:/run/nur-update/gunicorn.sock \
+ --log-level info \
+ --python-path ${nur-update.packages.${pkgs.system}.default} \
+ --timeout 30 \
+ --workers 3
+ '';
+ serviceConfig = {
+ DynamicUser = true;
+ LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ];
+ Restart = "always";
+ RuntimeDirectory = "nur-update";
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+}