Moved timers into their own nix module, fixed issues with sops, upgraded

gitea.py to use env vars for secrets, added a timer to run every 5 hours to mirror repos from github to gitea
2025-06-05 13:42:54 +03:00
parent becb29ef63
commit d2f9cb70ad
7 changed files with 117 additions and 43 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -61,9 +61,30 @@
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
        "zen-browser": "zen-browser"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747603214,
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "zen-browser": {
      "inputs": {
        "home-manager": "home-manager_2",
--- a/flake.nix
+++ b/flake.nix
@@ -14,7 +14,10 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    sops-nix.url = "github:Mic92/sops-nix/bd695cc4d0a5e1bead703cc1bec5fa3094820a81";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = { self, nixpkgs, ... }@inputs: {
--- a/hosts/configuration.nix
+++ b/hosts/configuration.nix
@@ -1,14 +1,15 @@
 { pkgs, inputs, ... }: {

  imports = [
+    inputs.sops-nix.nixosModules.sops
    ../modules/apps.nix
    ../modules/kde.nix
    ../modules/networking.nix
    ../modules/development.nix
    ../modules/gaming.nix
    ../modules/secrets.nix
+    ../modules/timers.nix
    inputs.home-manager.nixosModules.default
-    inputs.sops-nix.nixosModules.sops
  ];

  home-manager = {
@@ -111,38 +112,4 @@
    "d /home/kyren/.config/syncthing 0700 kyren users"
  ];

-  systemd.timers."git-auto-sync" = {
-    wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "5m";
-        OnUnitActiveSec = "5m";
-        Unit = "git-auto-sync.service";
-      };
-  };
-
-  systemd.services."git-auto-sync" = {
-    script = "$HOME/scripts/git-auto-sync.sh";
-    path = [
-      pkgs.git
-      pkgs.gh
-      pkgs.keychain
-      pkgs.openssh
-    ];
-    serviceConfig = { Type = "oneshot"; User = "kyren"; };
-  };
-
-  systemd.timers."k-sleep-tracker" = {
-    wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "1m";
-        OnUnitActiveSec = "1m";
-        Unit = "k-sleep-tracker.service";
-      };
-  };
-
-  systemd.services."k-sleep-tracker" = {
-    script = "$HOME/projects/k/bin/k tracker sleep";
-    serviceConfig = { Type = "oneshot"; User = "kyren"; };
-  };
-
 }
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -2,7 +2,7 @@

    sops = {
      defaultSopsFile = ./secrets.yaml;
-      age.sshKeyPaths = [ "/home/kyren/.ssh/id_ed25519" ];
+      age.sshKeyPaths = [ "/home/kyren/.ssh/sops_id_ed25519" ];
    };

 }
--- a/modules/secrets.yaml
+++ b/modules/secrets.yaml
--- a/modules/timers.nix
+++ b/modules/timers.nix
@@ -0,0 +1,68 @@
+{ config, pkgs, ... }: {
+
+  systemd.timers."git-auto-sync" = {
+    wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "5m";
+        OnUnitActiveSec = "5m";
+        Unit = "git-auto-sync.service";
+      };
+  };
+
+  systemd.services."git-auto-sync" = {
+    script = "$HOME/scripts/git-auto-sync.sh";
+    path = [
+      pkgs.git
+      pkgs.gh
+      pkgs.keychain
+      pkgs.openssh
+    ];
+    serviceConfig = { Type = "oneshot"; User = "kyren"; };
+  };
+
+  ###########################################################################
+
+  systemd.timers."k-sleep-tracker" = {
+    wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "1m";
+        OnUnitActiveSec = "1m";
+        Unit = "k-sleep-tracker.service";
+      };
+  };
+
+  systemd.services."k-sleep-tracker" = {
+    script = "$HOME/projects/k/bin/k tracker sleep";
+    serviceConfig = { Type = "oneshot"; User = "kyren"; };
+  };
+
+  ###########################################################################
+
+  systemd.timers."git-auto-mirror" = {
+    wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "1m";
+        OnUnitActiveSec = "5h";
+        Unit = "git-auto-mirror.service";
+      };
+  };
+
+  sops.secrets.gitea-sync-token = { owner = "kyren"; };
+  sops.secrets.github-mirror-token = { owner = "kyren"; };
+  systemd.services."git-auto-mirror" = {
+    script = "python $HOME/scripts/gitea.py";
+    path = [
+      (pkgs.python312.withPackages (pypkgs: [
+        pypkgs.matplotlib
+        pypkgs.pandas
+        pypkgs.pygithub
+      ]))
+    ];
+    environment = {
+      GITEA_TOKEN_FILE = config.sops.secrets.gitea-sync-token.path;
+      GITHUB_TOKEN_FILE = config.sops.secrets.github-mirror-token.path;
+    };
+    serviceConfig = { Type = "oneshot"; User = "kyren"; };
+  };
+
+}
--- a/scripts/gitea.py
+++ b/scripts/gitea.py
@@ -1,14 +1,27 @@
+import os
+import sys
 import requests

 from github import Github
 from github import Auth

-GITHUB_TOKEN = ""
+def read_token(var: str) -> str:
+    path = os.getenv(var)
+    if path is None:
+        print(f"Missing env var: {var}", file=sys.stderr)
+        sys.exit(1)
+    return open(path).read().strip()
+
+GITHUB_TOKEN: str = read_token("GITHUB_TOKEN_FILE")
 GITHUB_USERNAME = "Kyren223"
 GITEA_URL = "https://git.kyren.codes"
-GITEA_TOKEN = ""
+GITEA_TOKEN: str = read_token("GITEA_TOKEN_FILE")
 GITEA_USER = "Kyren223"

+success = 0
+skipped = 0
+failed = 0
+
 def repo_exists(repo_name: str) -> bool:
    headers = {'Authorization': f'token {GITEA_TOKEN}'}
    r = requests.get(f'{GITEA_URL}/api/v1/repos/{GITEA_USER}/{repo_name}', headers=headers)
@@ -17,6 +30,7 @@ def repo_exists(repo_name: str) -> bool:
 def mirror(addr: str, repo_name: str):
    if repo_exists(repo_name):
        print(f"Skipping existing repo: {repo_name}")
+        global skipped; skipped += 1
        return

    json = {
@@ -43,12 +57,11 @@ def mirror(addr: str, repo_name: str):
                      json=json, params=payload)
        r.raise_for_status()

+        global success; success += 1
        print(f'Mirrored {repo_name}')
    except requests.exceptions.HTTPError as e:
-        if r.status_code == 422:
-            print(f"Skipping existing repo: {repo_name} (failed)")
-        else:
-            print(f"Failed to mirror {repo_name}: {e}")
+        global failed; failed += 1
+        print(f"Failed to mirror {repo_name}: {e}")

 # using an access token
 auth = Auth.Token(GITHUB_TOKEN or '')
@@ -64,3 +77,5 @@ for repo in g.get_user().get_repos():

 # To close connections after use
 g.close()
+
+print(f"\nSummary: {success} mirrored, {skipped} skipped, {failed} failed.")