dotfiles/apps/base/maintenance-guix-deploy/job.yaml

apiVersion: batch/v1
kind: Job
metadata:
  name: guix-deploy
  annotations:
    # Setting spec.force to true will make Flux recreate the Job when any
    # immutable field is changed, forcing the Job to run every time the
    # container image tag changes.
    kustomize.toolkit.fluxcd.io/force: enabled
spec:
  backoffLimit: 0
  template:
    spec:
      hostNetwork: true
      hostPID: true
      restartPolicy: Never
      containers:
      - command:
        - /bin/sh
        - -c
        - |
          nsenter --target "1" --mount --uts --ipc --net --pid --no-fork \
          /run/setuid-programs/sudo --user=oleg --login --preserve-env=GUIX_DEPLOY_FILE bash <<'EOF'
          set -o nounset -o errexit -o pipefail -o xtrace
          cd "${HOME}/.local/share/chezmoi" || exit 1
          guix deploy "${GUIX_DEPLOY_FILE}"
          EOF
        image: docker-registry.wugi.info/library/util-linux-with-udev
        name: nsenter
        resources:
          limits:
            cpu: 14000m
            memory: 4096Mi
          requests:
            cpu: 1000m
            memory: 512Mi
        securityContext:
          privileged: true