infrastructure/.gitlab-ci.yml

image: nixos/nix:2.17.1

variables:
  NIXOS_VERSION: "unstable"
  NIXPKGS_ALLOW_UNFREE: "1"
  NIXPKGS_ALLOW_INSECURE: "1"

stages:
  - test
  - deploy
  - scheduled

before_script:
  - mv .gitlab/passwd /etc/passwd
  - mv .gitlab/group /etc/group
  - mv nix.conf /etc/nix/nix.conf
  - nix-channel --add https://nixos.org/channels/nixos-${NIXOS_VERSION} nixos
  - nix-channel --update

test:
  stage: test
  script:
    - nix flake check
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: never
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      when: never
    - when: always

deploy:
  stage: deploy
  script:
    # Init OpenSSH
    - nix-env -iA nixos.openssh
    - eval "$(ssh-agent -s)"
    - chmod 0600 $SSH_PRIVATE_KEY
    - ssh-add $SSH_PRIVATE_KEY
    # Deploy everything
    - nix develop --command deploy
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: never
    - if: $CI_COMMIT_BRANCH == "master"


check updates:
  stage: scheduled
  script:
    # Prepare git access
    - nix-env -iA nixos.openssh
    - eval "$(ssh-agent -s)"
    - chmod 0600 $SSH_UPDATE_KEY
    - ssh-add $SSH_UPDATE_KEY
    - git config --global user.name "NixOS Flake Update"
    - git config --global user.email "git@lewd.wtf"
    - git remote rm origin && git remote add origin "git@git.lewd.wtf:${CI_PROJECT_PATH}.git"
    # Update flakes
    - nix flake update
    # Push changes
    - git branch -D flakes_update || true
    - git checkout -b flakes_update
    - git add flake.lock
    - git commit -m 'Update NixOS Flakes'
    - GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" git push -f --set-upstream origin flakes_update -o merge_request.create
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"

clean nix store:
  stage: scheduled
  script:
    - nix-collect-garbage --delete-older-than 14d
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"