]> git.scottworley.com Git - auto-upgrade-with-pinch/summary
 
descriptionAutomatic NixOS upgrades with pinch
last changeSat, 21 Dec 2024 04:40:25 +0000 (20:40 -0800)
readme

auto-upgrade-with-pinch

Automatically update a NixOS machine from a remote git repo.

The advantage of this over NixOps is in authentication: NixOps requires granting a general-purpose administrator credential for the machines under management to the actor pushing the updates. This credential is intended to be used only for pushing updates, but could be used for any other purpose. Reliably logging and auditing what is done with this credential if it is used interactively is extremely difficult.

This tool, on the other hand, only applies configuration changes recorded in a git repository. This is transparent and easy to audit. Configuration updates are pulled, not pushed. Configuration updates must be signed (with normal git commit signatures). Force-pushed updates are rejected. Additional policy can be easily enforced with normal git repository control mechanisms, such as requiring code reviews.

shortlog
3 days ago Scott WorleyWhen becoming other users, cd to / with pushd, not... master
3 days ago Scott WorleyWhen becoming other users, cd to /
12 days ago Scott Worley24.11: polite-merge: 2.4 → 2.4.1
12 days ago Scott WorleyDrop 22.11 support: Just use "nativeCheckInputs"
2024-06-29 Scott Worleypinch: 3.0.15 → 3.1.0 for "git_ref = tag <tag>" support
2024-03-21 Scott Worleypinch: 3.0.13 → 3.0.15
2023-12-08 Scott Worleypinch: 3.0.12 → 3.0.13
2023-09-07 Scott Worleypinch: 3.0.11 → 3.0.12
2023-05-25 Scott Worleypinch: 3.0.10 → 3.0.11
2023-05-25 Scott Worleygit-cache: 1.4.2 → 1.4.3
2023-05-25 Scott WorleyAdapt to nixpkgs' nativeCheckInputs change
2023-03-20 Scott WorleyGentler updates (nice & ionice)
2022-11-24 Scott WorleyLicense and README
2022-11-23 Scott Worleypinch: 3.0.9 → 3.0.10
2022-11-23 Scott Worleygit-cache: 1.3.1 → 1.4.2
2022-11-23 Scott WorleyRely on nixpkgs' python3Packages.backoff
...
heads
3 days ago master