update.nix 2.56 KB
Newer Older
Paki's avatar
Paki committed
1
2
{ pkgs, config, nodes, lib, ... }:
{
Paki's avatar
Paki committed
3
4
5
6
7
  services.logind = rec {
    lidSwitch = "ignore";
    lidSwitchExternalPower = lidSwitch;
    lidSwitchDocked = lidSwitch;
  };
Paki's avatar
Paki committed
8
  home-manager.users.root.programs.git.extraConfig.core.sshCommand = "ssh -o IdentitiesOnly=yes -i /var/keys/git -F /dev/null";
Paki's avatar
Paki committed
9
10
11
12
  programs.ssh.extraConfig = ''
    Host pasqui23.gitlab.com
      Hostname gitlab.com
      PreferredAuthentications publickey
Paki's avatar
Paki committed
13
      IdentityFile /var/keys/git
Paki's avatar
Paki committed
14
15
  '';
  deployment.keys = {
Paki's avatar
Paki committed
16
17
18
19
20
21
22
23
24
25
26
27
    git = {
      destDir = "/var/keys";
      keyFile = ./key/git;
    };
    prv-gpg = {
      destDir = "/var/keys";
      keyFile = ./key/prv.gpg;
    };
    pub-gpg = {
      destDir = "/var/keys";
      keyFile = ./key/pub.gpg;
    };
Paki's avatar
Paki committed
28
  };
Paki's avatar
Paki committed
29
30
31
32
33
34
35
36
37
  systemd.packages = [
    (pkgs.runCommand "nixops-override-dir" { } ''
      o="$out/lib/systemd/system"
      mkdir -p $o
      touch $o/nixops-{,upgrade-}.service
    '')
  ];
  systemd.services =
    let
Paki's avatar
Paki committed
38
      nixops = "${pkgs.nixops}/bin/nixops deploy --debug --network ./.";
Paki's avatar
Paki committed
39
40
41
42
43
44
45

      cfgUnit = {
        serviceConfig = rec{
          CPUWeight = 20;
          IOWeight = 20;
          WorkingDirectory = "/etc/nixos";
        };
Paki's avatar
Paki committed
46
47
48
49
        environment = {
          HOME = config.users.users.root.home;
          NIX_PATH = lib.strings.concatStringsSep ":" config.nix.nixPath;
        };
Paki's avatar
Paki committed
50
51
        wants = [ "network-online.target" ];
        after = [ "network-online.target" ];
Paki's avatar
Paki committed
52
      };
Paki's avatar
Paki committed
53
54
55
56
57
58
59
60
61
62
    in
    {
      gpg-key-import = rec{
        path = [ pkgs.gnupg ];
        wantedBy = [ "prv-gpg-key.service" "pub-gpg-key.service" ];
        after = wantedBy;
        script = ''
          gpg --import /var/keys/pub.gpg
          gpg --allow-secret-key-import --import /var/keys/prv.gpg
        '';
Paki's avatar
Paki committed
63
      };
Paki's avatar
Paki committed
64
      nixops-upgrade = _: {
Paki's avatar
Paki committed
65
66
67
        imports = [ cfgUnit ];
        startAt = config.my.downtime;
        after = [ "gpg-key-import.service" ];
Paki's avatar
Paki committed
68
        path = with pkgs;[ config.nix.package git git-crypt openssh ];
Paki's avatar
Paki committed
69
70
71
72
73
74
75
76
77
78
        script = ''
          git pull
          nix flake update
          nix flake check
          ${nixops} --build-only
          git commit -am "update : $(date)"
          git push
        '';
        onFailure = [ "nixops-reset.service" ];
      };
Paki's avatar
Paki committed
79
      nixops-reset = _: {
Paki's avatar
Paki committed
80
81
82
83
        imports = [ cfgUnit ];
        serviceConfig.ExecStart = "${pkgs.git}/bin/git restore .";
      };
    } // lib.mapAttrs'
Paki's avatar
Paki committed
84
      (n: v: lib.nameValuePair "nixops-upgrade-${n}" (_: {
Paki's avatar
Paki committed
85
86
87
88
89
90
        imports = [ cfgUnit ];
        after = [ "nixops-upgrade.service" ];
        startAt = v.my.downtime;
        serviceConfig.ExecStart = "${nixops} --include ${n}";
      }))
      nodes;
Paki's avatar
Paki committed
91
}