projects / auto-upgrade-with-pinch / summary
| description | Automatic NixOS upgrades with pinch |
| last change | Fri, 3 Oct 2025 16:25:02 +0000 (09:25 -0700) |
| URL | https://git.scottworley.com/pub/git/auto-upgrade-with-pinch |
Automatically update a NixOS machine from a remote git repo.
The advantage of this over NixOps is in authentication: NixOps requires granting a general-purpose administrator credential for the machines under management to the actor pushing the updates. This credential is intended to be used only for pushing updates, but could be used for any other purpose. Reliably logging and auditing what is done with this credential if it is used interactively is extremely difficult.
This tool, on the other hand, only applies configuration changes recorded in a git repository. This is transparent and easy to audit. Configuration updates are pulled, not pushed. Configuration updates must be signed (with normal git commit signatures). Force-pushed updates are rejected. Additional policy can be easily enforced with normal git repository control mechanisms, such as requiring code reviews.
| 2 months ago | master | shortlog | log | tree |