2025-01-22 13:12:57 +01:00
6 changed files with 63 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -66,3 +66,6 @@ Usage:
 sops $file # To edit a file
 sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
 ```
+
+After changing secrets, don't forget to push the sub-repository and run
+`nix flake update private` in the infrastructure repository to use the changes in builds.
--- a/flake.lock
+++ b/flake.lock
@ -111,10 +111,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1734984619,
-        "narHash": "sha256-D9awD3ArJ+8jCPr96HruGS4xpkJ7h2+V0Yiaay/9pyE=",
-        "rev": "18d3b3b703a6139b9ebd5ec64311717cf2a6f9bc",
-        "revCount": 7,
+        "lastModified": 1737489963,
+        "narHash": "sha256-1Qo3Qofx6W4s7tfvAKuq+hIUkkSRTU6j9PcDodM0hY4=",
+        "ref": "refs/heads/main",
+        "rev": "d42933081c8149ee536b0300020d4f31b206f514",
+        "revCount": 10,
        "type": "git",
        "url": "file:./private"
      },
--- a/nixos-configurations/lindberg-build/applications/default.nix
+++ b/nixos-configurations/lindberg-build/applications/default.nix
@ -13,6 +13,7 @@
  qois.git-ci-runner.enable = true;
  qois.attic.enable = true;
  qois.postgresql.package = pkgs.postgresql_15;
+  qois.renovate.enable = true;

  # Remove substituters that are hosted on this node, to prevent lockups
  #  since the current nix implementation is not forgiving with unavailable subsituters.
--- a/nixos-modules/qois/renovate/default.nix
+++ b/nixos-modules/qois/renovate/default.nix
@ -0,0 +1,45 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.renovate;
+in
+{
+
+  options.qois.renovate = {
+    enable = mkEnableOption "Enable renovate service";
+    gitServer = mkOption {
+      description = "Gitea/Forgejo server that should be accessed";
+      type = types.str;
+      default = "git.qo.is";
+    };
+    gitAuthor = mkOption {
+      description = "Author of commit messages";
+      type = types.str;
+      default = "Renovate Bot <sysadmin+renovate@qo.is>";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets."renovate/token".restartUnits = [ "renovate.service" ];
+    services.renovate = {
+      enable = true;
+      credentials.RENOVATE_TOKEN = config.sops.secrets."renovate/token".path;
+      runtimePackages = with pkgs; [
+        nix
+      ];
+      settings = {
+        inherit (cfg) gitAuthor;
+        endpoint = "https://${cfg.gitServer}/api/v1";
+        platform = "gitea";
+        autodiscover = true;
+        optimizeForDisabled = true;
+      };
+      schedule = "*:0/10";
+    };
+  };
+}
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit dcfc21e991b4ce056e24c26bb992b1af378d035a
+Subproject commit d42933081c8149ee536b0300020d4f31b206f514
--- a/renovate.json
+++ b/renovate.json
@ -0,0 +1,8 @@
+{
+  "extends": [
+    "config:base"  
+  ],
+  "nix": {
+    "enabled": true
+  }
+}