From e13bcb9daea56c0c1d70bb875c136c83eae44c8e Mon Sep 17 00:00:00 2001
From: Aaron Bieber <aaron@bolddaemon.com>
Date: Thu, 25 Aug 2022 21:23:58 -0600
Subject: [PATCH] all: enable autoUpgrade for everything

---
 default.nix       | 11 ++++++++++-
 flake.lock        | 12 ++++++------
 flake.nix         |  3 +--
 system/update.nix | 25 +++++++++++++++++++------
 4 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/default.nix b/default.nix
index bb9a21b..a5940c6 100644
--- a/default.nix
+++ b/default.nix
@@ -22,7 +22,7 @@ in {
     ./services
     ./system/nix-config.nix
     ./system/nix-lockdown.nix
-    #./system/update.nix
+    ./system/update.nix
     ./users
 
     ./bins
@@ -46,6 +46,15 @@ in {
   config = {
     sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
+    sops.secrets = {
+      xin_secrets_deploy_key = {
+        sopsFile = config.xin-secrets.deploy;
+        owner = "root";
+        group = "wheel";
+        mode = "400";
+      };
+    };
+
     security.pki.certificates = [''
       -----BEGIN CERTIFICATE-----
       MIIBrjCCAVOgAwIBAgIIKUKZ6zcNut8wCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMM
diff --git a/flake.lock b/flake.lock
index eef442d..2299bf3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -242,18 +242,18 @@
         "stable": "stable_2"
       },
       "locked": {
-        "lastModified": 1661453539,
-        "narHash": "sha256-gTqg3+/EQDUBcApgn5Lf5Ybu9yGHkqJBvqp80g8VKrE=",
+        "lastModified": 1661480432,
+        "narHash": "sha256-Z+o84wE3O+mTKtGBAAeVa5J+UcFNDRYytYe38ReVe84=",
         "ref": "main",
-        "rev": "d0f828c31429f9ceaeef469a7c2834aa59523b09",
-        "revCount": 24,
+        "rev": "34c3214c299f839b014a4aed735557feb4640383",
+        "revCount": 26,
         "type": "git",
-        "url": "ssh://gitea@git.tapenet.org:2222/qbit/xin-secrets.git"
+        "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
       },
       "original": {
         "ref": "main",
         "type": "git",
-        "url": "ssh://gitea@git.tapenet.org:2222/qbit/xin-secrets.git"
+        "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 58380e3..4f37534 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,8 +3,7 @@
 
   inputs = {
     xin-secrets = {
-      url =
-        "git+ssh://gitea@git.tapenet.org:2222/qbit/xin-secrets.git?ref=main";
+      url = "git+ssh://xin-secrets-ro/qbit/xin-secrets.git?ref=main";
     };
     unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
     stable.url = "github:NixOS/nixpkgs/nixos-22.05-small";
diff --git a/system/update.nix b/system/update.nix
index 0c96c44..adc1056 100644
--- a/system/update.nix
+++ b/system/update.nix
@@ -11,10 +11,23 @@ with lib; {
     };
   };
 
-  config = mkIf config.autoUpdate.enable {
-    system.autoUpgrade = {
-      enable = true;
-      allowReboot = false;
-    };
-  };
+  config = mkMerge [
+    (mkIf config.autoUpdate.enable {
+      system.autoUpgrade = {
+        enable = true;
+        allowReboot = false;
+        flake = "github:qbit/xin";
+      };
+    })
+    {
+      # Always add our host alias or we run into a bootstrap issue
+      programs.ssh.extraConfig = ''
+        Host xin-secrets-ro
+          IdentityFile ${config.sops.secrets.xin_secrets_deploy_key.path}
+          User gitea
+          Port 2222
+          Hostname git.tapenet.org
+      '';
+    }
+  ];
 }