config/modules/services/deployerbot/default.nix

109 lines
3.6 KiB
Nix
Raw Normal View History

2023-07-30 05:49:54 +03:00
{
config,
lib,
pkgs,
2023-07-30 07:22:25 +03:00
myData,
2023-07-30 05:49:54 +03:00
...
}: {
options.mj.services.deployerbot.main = with lib.types; {
enable = lib.mkEnableOption "Enable system updater orchestrator";
deployDerivations = lib.mkOption {type = listOf str;};
uidgid = lib.mkOption {type = int;};
repo = lib.mkOption {type = str;};
};
options.mj.services.deployerbot.follower = with lib.types; {
enable = lib.mkEnableOption "Allow system to be deployed with deployerbot";
publicKey = lib.mkOption {type = str;};
uidgid = lib.mkOption {type = int;};
};
config = lib.mkMerge [
(with config.mj.services.deployerbot.main;
lib.mkIf enable {
# TODO: git config --global user.email bot@jakstys.lt
users.users.deployerbot-main = {
description = "Deployerbot Main";
home = "/var/lib/deployerbot-main";
useDefaultShell = true;
group = "deployerbot-main";
isSystemUser = true;
createHome = true;
uid = uidgid;
};
users.groups.deployerbot-main.gid = uidgid;
systemd.services.deployerbot = {
description = "Update all known systems";
environment = {TZ = "UTC";};
2023-08-07 14:50:32 +03:00
path = [pkgs.git pkgs.openssh pkgs.nix];
restartIfChanged = false;
2023-07-30 05:49:54 +03:00
serviceConfig = {
Type = "oneshot";
User = "deployerbot-main";
WorkingDirectory = config.users.users.deployerbot-main.home;
LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
};
script = let
deployDerivationsStr = builtins.concatStringsSep " " deployDerivations;
in ''
2023-07-30 07:36:12 +03:00
set -x
2023-07-30 09:01:27 +03:00
export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
2023-07-30 05:49:54 +03:00
if [[ ! -d config ]]; then
2023-07-30 09:01:27 +03:00
git clone ${repo} config
2023-07-30 05:49:54 +03:00
cd config
else
cd config
2023-07-30 09:01:27 +03:00
git fetch origin
git reset --hard origin/main
2023-07-30 05:49:54 +03:00
fi
2023-07-30 09:01:27 +03:00
nix flake update --accept-flake-config --commit-lock-file
2023-07-30 05:49:54 +03:00
2023-08-16 20:18:19 +03:00
nix --accept-flake-config run .#deploy-rs -- \
2023-07-30 05:49:54 +03:00
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
--ssh-user=deployerbot-follower \
2023-08-27 01:04:09 +03:00
--confirm-timeout 60 \
2023-08-16 20:18:19 +03:00
--targets ${deployDerivationsStr} -- \
--accept-flake-config
2023-07-30 09:01:27 +03:00
git push origin main
2023-07-30 05:49:54 +03:00
'';
};
2023-07-30 06:41:13 +03:00
systemd.timers.deployerbot = {
description = "deployerbot-main timer";
wantedBy = ["timers.target"];
# 15:38 UTC was the latest merge that I have observed since
# making the commit by looking at 3 commits of this repo.
# Let's try to be optimistic.
timerConfig.OnCalendar = "*-*-* 23:30:00 UTC";
2023-07-30 06:41:13 +03:00
};
2023-07-30 05:49:54 +03:00
mj.base.unitstatus.units = ["deployerbot"];
nix.settings.trusted-users = ["deployerbot-main"];
})
(with config.mj.services.deployerbot.follower;
lib.mkIf enable {
users.users = {
deployerbot-follower = {
description = "Deployerbot Follower";
home = "/var/lib/deployerbot-follower";
useDefaultShell = true;
group = "deployerbot-follower";
extraGroups = ["wheel"];
isSystemUser = true;
createHome = true;
uid = uidgid;
2023-07-30 07:22:25 +03:00
openssh.authorizedKeys.keys = let
2023-09-12 16:08:08 +03:00
restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + publicKey;
2023-07-30 07:22:25 +03:00
in [restrictedPubKey];
2023-07-30 05:49:54 +03:00
};
};
users.groups.deployerbot-follower.gid = uidgid;
nix.settings.trusted-users = ["deployerbot-follower"];
2023-07-30 05:49:54 +03:00
})
];
}