42 lines
1.1 KiB
Nix
42 lines
1.1 KiB
Nix
{
|
|
config,
|
|
inputs,
|
|
pkgs,
|
|
...
|
|
}: {
|
|
imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
|
|
|
|
services.renovate = {
|
|
enable = true;
|
|
# N.B.: only needs to be specified while pulling the module from unstable
|
|
package = pkgs.unstable.renovate;
|
|
|
|
schedule = "hourly";
|
|
|
|
runtimePackages = with pkgs; [
|
|
# for nix lockfile maintenance
|
|
nix
|
|
];
|
|
|
|
settings = {
|
|
endpoint = "https://${config.services.forgejo.settings.server.DOMAIN}";
|
|
platform = "gitea";
|
|
gitAuthor = "renovate[bot] <renovate@winston.sh>";
|
|
autodiscover = true;
|
|
autodiscoverTopics = ["managed-by-renovate"];
|
|
|
|
# performance
|
|
cachePrivatePackages = true;
|
|
repositoryCache = "enabled";
|
|
|
|
# experimental
|
|
osvVulnerabilityAlerts = true;
|
|
};
|
|
credentials = {
|
|
# can reuse the GHCR token to read changelogs
|
|
GITHUB_COM_TOKEN = config.age.secrets."containers/ghcr-token".path;
|
|
RENOVATE_GIT_PRIVATE_KEY = config.age.secrets."services/renovate/git-private-key".path;
|
|
RENOVATE_TOKEN = config.age.secrets."services/renovate/token".path;
|
|
};
|
|
};
|
|
}
|