43 lines
1.1 KiB
Nix
43 lines
1.1 KiB
Nix
|
{
|
||
|
config,
|
||
|
inputs,
|
||
|
pkgs,
|
||
|
...
|
||
|
}: {
|
||
|
imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
|
||
|
|
||
|
services.renovate = {
|
||
|
enable = true;
|
||
|
# N.B.: only needs to be specified while pulling the module from unstable
|
||
|
package = pkgs.unstable.renovate;
|
||
|
|
||
|
schedule = "hourly";
|
||
|
|
||
|
runtimePackages = with pkgs; [
|
||
|
# for nix lockfile maintenance
|
||
|
nix
|
||
|
];
|
||
|
|
||
|
settings = {
|
||
|
endpoint = "https://${config.services.forgejo.settings.server.DOMAIN}";
|
||
|
platform = "gitea";
|
||
|
gitAuthor = "renovate[bot] <renovate@winston.sh>";
|
||
|
autodiscover = true;
|
||
|
autodiscoverTopics = ["managed-by-renovate"];
|
||
|
|
||
|
# performance
|
||
|
cachePrivatePackages = true;
|
||
|
repositoryCache = "enabled";
|
||
|
|
||
|
# experimental
|
||
|
osvVulnerabilityAlerts = true;
|
||
|
};
|
||
|
credentials = {
|
||
|
# can reuse the GHCR token to read changelogs
|
||
|
GITHUB_COM_TOKEN = config.age.secrets."containers/ghcr-token".path;
|
||
|
RENOVATE_GIT_PRIVATE_KEY = config.age.secrets."services/renovate/git-private-key".path;
|
||
|
RENOVATE_TOKEN = config.age.secrets."services/renovate/token".path;
|
||
|
};
|
||
|
};
|
||
|
}
|