{ config, lib, pkgs, ... }: with lib; let cfg = config.kyouma.update-nixfiles; in { options.kyouma.update-nixfiles = { enable = mkEnableOption "automatically update nixfiles inputs"; privateKey = mkOption { type = types.str; default = ""; description = "Private key path"; }; signingKey = mkOption { type = types.str; default = ""; description = "Public Key"; }; runFreq = mkOption { type = types.str; default = "*-*-* 04:20:00"; description = "How often nixfiles should be updated. See {manpage}`systemd.timer(5)`"; }; }; config = mkIf cfg.enable { users.groups.update-nixfiles = {}; users.users.update-nixfiles = { createHome = true; group = "update-nixfiles"; home = "/var/lib/update-nixfiles"; isSystemUser = true; useDefaultShell = true; }; home-manager.users.update-nixfiles = { home.stateVersion = "23.11"; programs.git = { enable = true; signing.key = builtins.toFile "signingKey" cfg.signingKey; signing.signByDefault = true; userName = "Update Bot"; userEmail = "update-nixfiles-bot@kyouma.net"; extraConfig = { gpg.format = "ssh"; }; }; programs.ssh = { enable = true; addKeysToAgent = "yes"; matchBlocks."woof.rip".identityFile = cfg.privateKey; }; services.ssh-agent.enable = true; }; nix.settings.accept-flake-config = true; programs.ssh = { knownHosts."woof.rip".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeiU8hbOhTuF0Ku8XNIYno3rtxL1CR5gHmZJo4WbLZZ"; }; systemd.services.update-nixfiles = { requires = [ "network-online.target" ]; after = [ "network-online.target" ]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; serviceConfig = { ExecStart = "${pkgs.update-nixfiles}/bin/update-nixfiles"; User = "update-nixfiles"; }; }; systemd.timers.update-nixfiles = { wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = cfg.runFreq; }; requires = [ "network-online.target" ]; after = [ "network-online.target" ]; }; environment.systemPackages = [ pkgs.update-nixfiles ]; }; }