add nur-update service

Flake lock file updates:

• Added input 'nur-update':
    'github:nix-community/nur-update/5e86794950e8061b6e19040f96cc2620c29e922e' (2022-12-10)
• Added input 'nur-update/nixpkgs':
    follows 'nixpkgs'

flake.lock

@@ -60,17 +60,17 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1671149032,
+        "lastModified": 1671755972,
-        "narHash": "sha256-BP8mspP2oJqIm9zHj1EHSolkOWg9+jqIm2R/fUWQq28=",
+        "narHash": "sha256-X977apvpqBqqRf2XBNorfunZmQNn3cQYGEnQE4L90Fo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "34274e6c8604be2d103606b11dae0ac2e3a0d584",
+        "rev": "e8ee153b1717dca9c6aa38d5cf198329480d5b41",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "nixos-unstable-small",
         "repo": "nixpkgs",
-        "rev": "34274e6c8604be2d103606b11dae0ac2e3a0d584",
         "type": "github"
       }
     },
@@ -173,6 +173,26 @@
         "type": "github"
       }
     },
+    "nur-update": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1670690859,
+        "narHash": "sha256-QHEHBp2D0b/9goFDhR07VLnUkqlU3Ie8lKglG67zpR4=",
+        "owner": "nix-community",
+        "repo": "nur-update",
+        "rev": "5e86794950e8061b6e19040f96cc2620c29e922e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nur-update",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -180,6 +200,7 @@
         "nixpkgs-update": "nixpkgs-update",
         "nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
         "nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
+        "nur-update": "nur-update",
         "sops-nix": "sops-nix",
         "srvos": "srvos"
       }

flake.nix

@@ -25,6 +25,9 @@
     nixpkgs-update-github-releases.flake = false;
     nixpkgs-update-pypi-releases.url = "github:ryantm/nixpkgs-update-pypi-releases";
     nixpkgs-update-pypi-releases.flake = false;
+
+    nur-update.url = "github:nix-community/nur-update";
+    nur-update.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = inputs @ {flake-parts, ...}:
@@ -84,6 +87,9 @@
             modules =
               common
               ++ [
+                (import ./services/nur-update {
+                  inherit (inputs) nur-update;
+                })
                 ./build03/configuration.nix
               ];
           };

services/nur-update/default.nix

@@ -0,0 +1,31 @@
+{ nur-update }: { config, lib, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."nur-update.nix-community.org" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://unix:/run/nur-update/gunicorn.sock";
+  };
+
+  sops.secrets.nur-update-github-token = { };
+
+  systemd.services.nur-update = {
+    description = "nur-update service";
+    script = ''
+      GITHUB_TOKEN="$(<$CREDENTIALS_DIRECTORY/github-token)" \
+        ${lib.getExe pkgs.python3.pkgs.gunicorn} nur_update:app \
+        --bind unix:/run/nur-update/gunicorn.sock \
+        --log-level info \
+        --python-path ${nur-update.packages.${pkgs.system}.default} \
+        --timeout 30 \
+        --workers 3
+    '';
+    serviceConfig = {
+      DynamicUser = true;
+      LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ];
+      Restart = "always";
+      RuntimeDirectory = "nur-update";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}