From 334a41619afa54de3c210378b2e5747bba1b3807 Mon Sep 17 00:00:00 2001
From: winston <hey@winston.sh>
Date: Wed, 18 Sep 2024 15:43:28 +0200
Subject: [PATCH] feat: add renovate

---
 config/secrets/secrets.nix                    |   3 ++
 .../services/renovate/git-private-key.age     | Bin 0 -> 755 bytes
 config/secrets/services/renovate/token.age    |   7 +++
 config/services/default.nix                   |   1 +
 config/services/forgejo.nix                   |  14 +++++-
 config/services/renovate.nix                  |  42 ++++++++++++++++++
 6 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100644 config/secrets/services/renovate/git-private-key.age
 create mode 100644 config/secrets/services/renovate/token.age
 create mode 100644 config/services/renovate.nix

diff --git a/config/secrets/secrets.nix b/config/secrets/secrets.nix
index 84b9f9c..b089c08 100644
--- a/config/secrets/secrets.nix
+++ b/config/secrets/secrets.nix
@@ -36,6 +36,9 @@ in {
 
   "services/prometheus/minio-bearer-token.age".publicKeys = default;
 
+  "services/renovate/git-private-key.age".publicKeys = default;
+  "services/renovate/token.age".publicKeys = default;
+
   "services/wakapi/password-salt.env.age".publicKeys = default;
 
   "system/password-root.age".publicKeys = default;
diff --git a/config/secrets/services/renovate/git-private-key.age b/config/secrets/services/renovate/git-private-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..437210189fa0d1eff773dcba00ed996eaca25ab8
GIT binary patch
literal 755
zcmV<P0u23OXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$aA|fea56PEAWcj*PGdnJK{YZ^
zW@ti7c6VqnYHN5yPG?p~H7hY$Xf$nDPHA*FZ)8<ka5rXpWlvC93QBTqb97}nXEH@e
zS$IP*IWsXiVOlFUWi~TqH&an=STr(rOGHgtYfM-{3N1b$b8~1dWn?lnH8D9LdTKI3
zGC?4DMK5}JD|1;-ZB1HARy0seMOH9POm#6?V`Fu1LT)iuL~MFgMp{TRF*FJ{FnUu_
zSZZT+Yb$UoO>R+CY)>(CPe*rTadSv&c}Y}nadj_aST8wQc4rDLEiE8qPH1^?LU~DU
zYDQsERZc}YPEt&DXf`iIT4i`-FJfe7cuF-$SXW49Ls<%+cZ$&o;RACSco7*w*)?V#
zA?w(&R8{&wzQ|_*K)B_A+eYe)=FG}*g0yPejvd=^5PX*)qkC*wa2R+j$$pV`iTKLJ
zKIMt7v7ul&YiN_u+i)`mNvr`MZc<6(9@ZYF;5OR-SJfo%9cX*rHB7~P^UfZF)t^Jc
z2ELk??0Qh;oNAFNzW{18?l+?pAGyf)Sbd6F2}0YoO_`9LwqmSjh{-5k#duiu9IMiC
zr+rP?o7PLVPOsk_3dgvRcvzX`;OHMN-6cX+sf310vqvcbrsu4ugIFarix7;kOfrXA
zRbyWA?I#aH))hb#<@1U~r2}!E{%~cw!i$PuglGMewbHhvdN0zf81u$6bNgyM#%pj{
z_UOg=;ou4iBzz-`^8~dW^&WMA{g2?vrx&KpRef$e3``tmXQ$VJ1%5=Q;1Rl!Qf@uL
z@4Fm&f_k)tjlGStK!tyZX4?N}z5)ZiFiVlPp5Bu~@|A(_WyBn(W#(IufmsaBD$Umd
z*=0q-Z9Gc_H2Xz2ubwzHF?x(fhZ)1|0geMg$1bx=NCKRk@p)M7EPWKWkF8(b0h5{s
lYs?Z7PJ#i4T3GhE`FD=UNOdcAZ4Co)E-h-c2PFdvk&0rNK+pgH

literal 0
HcmV?d00001

diff --git a/config/secrets/services/renovate/token.age b/config/secrets/services/renovate/token.age
new file mode 100644
index 0000000..c9bd5a9
--- /dev/null
+++ b/config/secrets/services/renovate/token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA Ao9/TS4lWCYUOERyHoTh6GgOQ6OPPOjITxq+VJoVirJ+
+cHPtNKHVure5Gc8FDjtk8GDq8iFTK7RqwhK9LKGSSag
+-> ssh-ed25519 zj2A2A CpogQj8V/F4OZFq0m6Iptr2N5/ekc5HQbFnp/59eVV8
+8U3QBr107hm0BG8X0eEf0aD9wSeCoLDcEMdH1FJDu58
+--- aku/Nskd2GKHFtL8C/hMJvPOiGQkrPDKOPsrPPc575o
+ÅpV÷8ß¨­ÑùŠ‚Ç²IþË¹‡Ð â•ºÈˆ½‹wYo€˜uv+Ók‰¡a4Oü™´1¾Ó¥q{¸GšgÈ7ÊÛ
\ No newline at end of file
diff --git a/config/services/default.nix b/config/services/default.nix
index 0883c99..5d0bc35 100644
--- a/config/services/default.nix
+++ b/config/services/default.nix
@@ -11,6 +11,7 @@
     ./nextcloud.nix
     ./nginx.nix
     ./postgres.nix
+    ./renovate.nix
     ./wakapi.nix
     ./website
   ];
diff --git a/config/services/forgejo.nix b/config/services/forgejo.nix
index 83d4817..0ff9b04 100644
--- a/config/services/forgejo.nix
+++ b/config/services/forgejo.nix
@@ -61,7 +61,15 @@ in {
         ENABLED_ISSUE_BY_LABEL = true;
       };
 
-      repository.ENABLE_PUSH_CREATE_USER = true;
+      repository = {
+        ENABLE_PUSH_CREATE_USER = true;
+      };
+
+      "repository.signing" = {
+        SIGNING_KEY = "040C2D69C44F7B38065208FCCEED88FF3F03801B";
+        SIGNING_NAME = "winston's Forgejo";
+        SIGNING_EMAIL = "code@winston.sh";
+      };
 
       server = rec {
         DOMAIN = "code.winston.sh";
@@ -93,7 +101,9 @@ in {
         MINIO_USE_SSL = true;
       };
 
-      "ui.meta".AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
+      "ui.meta" = {
+        AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
+      };
 
       other = {
         SHOW_FOOTER_VERSION = false;
diff --git a/config/services/renovate.nix b/config/services/renovate.nix
new file mode 100644
index 0000000..a82e9aa
--- /dev/null
+++ b/config/services/renovate.nix
@@ -0,0 +1,42 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
+
+  services.renovate = {
+    enable = true;
+    # N.B.: only needs to be specified while pulling the module from unstable
+    package = pkgs.unstable.renovate;
+
+    schedule = "hourly";
+
+    runtimePackages = with pkgs; [
+      # for nix lockfile maintenance
+      nix
+    ];
+
+    settings = {
+      endpoint = "https://${config.services.forgejo.settings.server.DOMAIN}";
+      platform = "gitea";
+      gitAuthor = "renovate[bot] <renovate@winston.sh>";
+      autodiscover = true;
+      autodiscoverTopics = ["managed-by-renovate"];
+
+      # performance
+      cachePrivatePackages = true;
+      repositoryCache = "enabled";
+
+      # experimental
+      osvVulnerabilityAlerts = true;
+    };
+    credentials = {
+      # can reuse the GHCR token to read changelogs
+      GITHUB_COM_TOKEN = config.age.secrets."containers/ghcr-token".path;
+      RENOVATE_GIT_PRIVATE_KEY = config.age.secrets."services/renovate/git-private-key".path;
+      RENOVATE_TOKEN = config.age.secrets."services/renovate/token".path;
+    };
+  };
+}