From 64b2588dd263747b21e889798aa058ce8e306664 Mon Sep 17 00:00:00 2001
From: Julian Mutter <julian.mutter@comumail.de>
Date: Sat, 13 Jun 2026 14:55:37 +0200
Subject: [PATCH] Move docker creation over to devenv

This is not ideal, since devenv is more for creating development
environments, but it works
---
 devenv.lock                             | 37 +++++++++++++++++++++++++
 devenv.nix                              | 34 +++++++++++++++++++++--
 devenv.yaml                             | 19 +++++--------
 hosting/Dockerfile                      | 18 ------------
 hosting/nginx-http.conf                 | 13 +++++++++
 hosting/nginx.conf                      | 17 ------------
 hosting/update.sh                       | 17 ++++++++----
 scripts/apk-update-scripts/sheetless.sh |  1 -
 8 files changed, 99 insertions(+), 57 deletions(-)
 delete mode 100644 hosting/Dockerfile
 create mode 100644 hosting/nginx-http.conf
 delete mode 100644 hosting/nginx.conf
 mode change 100644 => 100755 hosting/update.sh

diff --git a/devenv.lock b/devenv.lock
index 25ccfc1fe..9354842d0 100644
--- a/devenv.lock
+++ b/devenv.lock
@@ -17,6 +17,41 @@
         "type": "github"
       }
     },
+    "mk-shell-bin": {
+      "locked": {
+        "lastModified": 1677004959,
+        "narHash": "sha256-/uEkr1UkJrh11vD02aqufCxtbF5YnhRTIKlx5kyvf+I=",
+        "owner": "rrbutani",
+        "repo": "nix-mk-shell-bin",
+        "rev": "ff5d8bd4d68a347be5042e2f16caee391cd75887",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rrbutani",
+        "repo": "nix-mk-shell-bin",
+        "type": "github"
+      }
+    },
+    "nix2container": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1775487831,
+        "narHash": "sha256-2lguQpLPQaxpQCJjXhmEEAfabwsAhkP29Z7fgLzHARA=",
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "rev": "76be9608a7f4d6c985d28b0e7be903ae2547df3e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "inputs": {
         "nixpkgs-src": "nixpkgs-src"
@@ -56,6 +91,8 @@
     "root": {
       "inputs": {
         "devenv": "devenv",
+        "mk-shell-bin": "mk-shell-bin",
+        "nix2container": "nix2container",
         "nixpkgs": "nixpkgs"
       }
     }
diff --git a/devenv.nix b/devenv.nix
index 40a741803..ab812e765 100644
--- a/devenv.nix
+++ b/devenv.nix
@@ -1,13 +1,41 @@
 {pkgs, ...}: {
   packages = with pkgs; [
+    coreutils
+    curl
     fdroidserver
     sops
+    git
+    cacert
+    jq
   ];
 
   scripts = {
-    decrypt.exec = ''
-      sops -d fdroid/encrypted-config.yml > fdroid/config.yml
-      sops -d fdroid/encrypted-keystore.p12 > fdroid/keystore.p12
+    deploy-docker.exec = ''
+      devenv container copy processes
     '';
   };
+
+  services.nginx = {
+    enable = true;
+    httpConfig = builtins.readFile ./hosting/nginx-http.conf;
+  };
+
+  processes.updater.exec = ''
+    while true; do
+      ${pkgs.writeShellScript "run-updater" (builtins.readFile ./hosting/update.sh)}
+
+      echo "Sleeping for 30 minutes..."
+      sleep 1800
+    done
+  '';
+
+  # environment variables for sops
+  # SOPS_PGP_FP
+  containers."processes" = {
+    name = "gitlab.julian-mutter.de/julian/fdroid-frajul";
+    registry = "docker://";
+
+    copyToRoot = []; # avoid copying this repo
+    maxLayers = 10;
+  };
 }
diff --git a/devenv.yaml b/devenv.yaml
index 116a2adb3..20699073f 100644
--- a/devenv.yaml
+++ b/devenv.yaml
@@ -1,15 +1,10 @@
-# yaml-language-server: $schema=https://devenv.sh/devenv.schema.json
 inputs:
+  mk-shell-bin:
+    url: github:rrbutani/nix-mk-shell-bin
+  nix2container:
+    url: github:nlewo/nix2container
+    inputs:
+      nixpkgs:
+        follows: nixpkgs
   nixpkgs:
     url: github:cachix/devenv-nixpkgs/rolling
-
-# If you're using non-OSS software, you can set allowUnfree to true.
-# allowUnfree: true
-
-# If you're willing to use a package that's vulnerable
-# permittedInsecurePackages:
-#  - "openssl-1.1.1w"
-
-# If you have more than one devenv you can merge them
-#imports:
-# - ./backend
diff --git a/hosting/Dockerfile b/hosting/Dockerfile
deleted file mode 100644
index 7c9e08b89..000000000
--- a/hosting/Dockerfile
+++ /dev/null
@@ -1,18 +0,0 @@
-# environment variables necessary to run:
-# REPO_URL  the url of this repo
-# BRANCH    the branch to work at
-
-FROM nginx:alpine
-
-RUN apk add --no-cache git bash
-COPY nginx.conf /etc/nginx/nginx.conf
-
-COPY update.sh /update.sh
-RUN chmod +x /update.sh
-
-# Add the cron job to run every 30 minutes
-# Redirecting to /proc/1/fd/1 ensures the script's echo statements show up in `docker logs`
-RUN echo "*/30 * * * * bash /update.sh > /proc/1/fd/1 2>&1" > /etc/crontabs/root
-
-# Start the cron daemon in the background (-b) and nginx in the foreground
-CMD crond -b && nginx -g 'daemon off;'
diff --git a/hosting/nginx-http.conf b/hosting/nginx-http.conf
new file mode 100644
index 000000000..f30a41478
--- /dev/null
+++ b/hosting/nginx-http.conf
@@ -0,0 +1,13 @@
+server {
+    listen 8080;
+    server_name = fdroid.julian-mutter.de;
+
+    location = / {
+        return 302 /fdroid/repo;
+    }
+
+    location /fdroid/repo {
+        alias /repo/fdroid/repo/;
+        autoindex on;
+    }
+}
diff --git a/hosting/nginx.conf b/hosting/nginx.conf
deleted file mode 100644
index 0431fdd35..000000000
--- a/hosting/nginx.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-events {}
-http {
-    server {
-        listen 80;
-        server_name = fdroid.julian-mutter.de;
-
-        location = / {
-            return 302 /fdroid/repo;
-        }
-
-        location /fdroid/repo {
-            alias /repo/fdroid/repo/;
-            autoindex on;
-        }
-    }
-}
-
diff --git a/hosting/update.sh b/hosting/update.sh
old mode 100644
new mode 100755
index ffaa7dd0b..acaad9314
--- a/hosting/update.sh
+++ b/hosting/update.sh
@@ -1,12 +1,17 @@
-#! /bin/bash
+#!/usr/bin/env bash
 
-if [ ! -d "/code/.git" ]; then
+# Config
+REPO_URL="https://gitlab.julian-mutter.de/julian/fdroid-frajul"
+BRANCH="master"
+
+if [ ! -d "./code/.git" ]; then
     echo "Performing initial setup!"
-    mkdir /code
+    echo "Current working directory: $(pwd)"
+    mkdir ./code
     echo "Cloning repository..."
-    git clone --branch "$BRANCH" "$REPO_URL" "/code"
+    git clone --branch "$BRANCH" "$REPO_URL" "./code"
     echo "Decrypting secrets..."
-    cd /code
+    cd ./code
     ./scripts/decrypt.sh
     echo "Done"
 fi
@@ -14,7 +19,7 @@ fi
 echo "Running regular repo update..."
 echo ""
 
-cd "/code"
+cd "./code"
 git fetch origin
 LOCAL=$(git rev-parse HEAD)
 REMOTE=$(git rev-parse "origin/$BRANCH")
diff --git a/scripts/apk-update-scripts/sheetless.sh b/scripts/apk-update-scripts/sheetless.sh
index 62c1b6c8f..6e1e9f215 100755
--- a/scripts/apk-update-scripts/sheetless.sh
+++ b/scripts/apk-update-scripts/sheetless.sh
@@ -56,7 +56,6 @@ while IFS=$'\t' read -r TAG DOWNLOAD_URL; do
 
         curl -sL -o "$LOCAL_FILE" "$DOWNLOAD_URL"
 
-        echo "Set var to true"
         UPDATE_TRIGGERED=true
     fi