default:
  image: nixos/nix:2.16.1

stages:
  - update_flake_lock
  - apply
  - commit_flake

update_flake_lock:
  stage: update_flake_lock
  rules:
    - if: $RUN_JOB == "update_flake_lock"
  script:
    - nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes
  artifacts:
    paths:
      - ./flake.lock

apply:
  stage: apply
  rules:
    - if: $RUN_JOB == "deploy"
  script:
    - nix-env --install colmena
    - eval $(ssh-agent -s)
    - chmod 600 "$SSH_PRIVATE_KEY"
    - ssh-add "$SSH_PRIVATE_KEY"
    - git clone https://oauth2:${ACCESS_TOKEN_KNOWN_HOSTS}@git.grzb.de/yuri/known_hosts.git /root/.ssh
    - colmena build
    - colmena apply --no-keys
  artifacts:
    paths:
      - ./flake.lock

commit_flake:
  stage: commit_flake
  rules:
    - if: $RUN_JOB == "update_flake_lock"
  variables:
    GIT_AUTHOR_EMAIL: $GIT_AUTHOR_EMAIL
    GIT_AUTHOR_NAME: $GIT_AUTHOR_NAME
    GIT_COMMITTER_EMAIL: $GIT_COMMITTER_EMAIL
    GIT_COMMITTER_NAME: $GIT_COMMITTER_NAME
    ACCESS_TOKEN: $ACCESS_TOKEN
  script:
    - git commit -m "Update flake.lock file" -m "Triggered by scheduled pipeline $CI_PIPELINE_ID at $CI_PIPELINE_CREATED_AT." || failure_code=$?
    - if [ "$failure_code" == "" ]; then git push https://gitlab-runner-server:${ACCESS_TOKEN}@${CI_SERVER_HOST}/yuri/nix-infra.git HEAD:$CI_COMMIT_BRANCH; fi