add nur-update service

Flake lock file updates: • Added input 'nur-update': 'github:nix-community/nur-update/5e86794950e8061b6e19040f96cc2620c29e922e' (2022-12-10) • Added input 'nur-update/nixpkgs': follows 'nixpkgs'
2022-12-12 07:41:32 +10:00 · 2022-12-12 07:41:32 +10:00 · 86ac03df56
commit 86ac03df56
parent de9603f620
3 changed files with 62 additions and 4 deletions
--- a/flake.lock
+++ b/flake.lock
@ -60,17 +60,17 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1671149032,
-        "narHash": "sha256-BP8mspP2oJqIm9zHj1EHSolkOWg9+jqIm2R/fUWQq28=",
+        "lastModified": 1671755972,
+        "narHash": "sha256-X977apvpqBqqRf2XBNorfunZmQNn3cQYGEnQE4L90Fo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "34274e6c8604be2d103606b11dae0ac2e3a0d584",
+        "rev": "e8ee153b1717dca9c6aa38d5cf198329480d5b41",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
-        "rev": "34274e6c8604be2d103606b11dae0ac2e3a0d584",
        "type": "github"
      }
    },
@ -173,6 +173,26 @@
        "type": "github"
      }
    },
+    "nur-update": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1670690859,
+        "narHash": "sha256-QHEHBp2D0b/9goFDhR07VLnUkqlU3Ie8lKglG67zpR4=",
+        "owner": "nix-community",
+        "repo": "nur-update",
+        "rev": "5e86794950e8061b6e19040f96cc2620c29e922e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nur-update",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "flake-parts": "flake-parts",
@ -180,6 +200,7 @@
        "nixpkgs-update": "nixpkgs-update",
        "nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
        "nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
+        "nur-update": "nur-update",
        "sops-nix": "sops-nix",
        "srvos": "srvos"
      }
--- a/flake.nix
+++ b/flake.nix
@ -25,6 +25,9 @@
    nixpkgs-update-github-releases.flake = false;
    nixpkgs-update-pypi-releases.url = "github:ryantm/nixpkgs-update-pypi-releases";
    nixpkgs-update-pypi-releases.flake = false;
+
+    nur-update.url = "github:nix-community/nur-update";
+    nur-update.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = inputs @ {flake-parts, ...}:
@ -84,6 +87,9 @@
            modules =
              common
              ++ [
+                (import ./services/nur-update {
+                  inherit (inputs) nur-update;
+                })
                ./build03/configuration.nix
              ];
          };
--- a/services/nur-update/default.nix
+++ b/services/nur-update/default.nix
@ -0,0 +1,31 @@
+{ nur-update }: { config, lib, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."nur-update.nix-community.org" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://unix:/run/nur-update/gunicorn.sock";
+  };
+
+  sops.secrets.nur-update-github-token = { };
+
+  systemd.services.nur-update = {
+    description = "nur-update service";
+    script = ''
+      GITHUB_TOKEN="$(<$CREDENTIALS_DIRECTORY/github-token)" \
+        ${lib.getExe pkgs.python3.pkgs.gunicorn} nur_update:app \
+        --bind unix:/run/nur-update/gunicorn.sock \
+        --log-level info \
+        --python-path ${nur-update.packages.${pkgs.system}.default} \
+        --timeout 30 \
+        --workers 3
+    '';
+    serviceConfig = {
+      DynamicUser = true;
+      LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ];
+      Restart = "always";
+      RuntimeDirectory = "nur-update";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}