]> git.scottworley.com Git - auto-upgrade-with-pinch/summary
 
descriptionAutomatic NixOS upgrades with pinch
last changeSat, 29 Jun 2024 07:17:01 +0000 (00:17 -0700)
readme

auto-upgrade-with-pinch

Automatically update a NixOS machine from a remote git repo.

The advantage of this over NixOps is in authentication: NixOps requires granting a general-purpose administrator credential for the machines under management to the actor pushing the updates. This credential is intended to be used only for pushing updates, but could be used for any other purpose. Reliably logging and auditing what is done with this credential if it is used interactively is extremely difficult.

This tool, on the other hand, only applies configuration changes recorded in a git repository. This is transparent and easy to audit. Configuration updates are pulled, not pushed. Configuration updates must be signed (with normal git commit signatures). Force-pushed updates are rejected. Additional policy can be easily enforced with normal git repository control mechanisms, such as requiring code reviews.

shortlog
2024-06-29 Scott Worleypinch: 3.0.15 → 3.1.0 for "git_ref = tag <tag>" support master
2024-03-21 Scott Worleypinch: 3.0.13 → 3.0.15
2023-12-08 Scott Worleypinch: 3.0.12 → 3.0.13
2023-09-07 Scott Worleypinch: 3.0.11 → 3.0.12
2023-05-25 Scott Worleypinch: 3.0.10 → 3.0.11
2023-05-25 Scott Worleygit-cache: 1.4.2 → 1.4.3
2023-05-25 Scott WorleyAdapt to nixpkgs' nativeCheckInputs change
2023-03-20 Scott WorleyGentler updates (nice & ionice)
2022-11-24 Scott WorleyLicense and README
2022-11-23 Scott Worleypinch: 3.0.9 → 3.0.10
2022-11-23 Scott Worleygit-cache: 1.3.1 → 1.4.2
2022-11-23 Scott WorleyRely on nixpkgs' python3Packages.backoff
2022-09-26 Scott WorleyFollow rename: utillinux → util-linux
2022-04-30 Scott Worleypinch: 3.0.7 → 3.0.9
2022-04-29 Scott WorleySwitch from 'nix eval' to 'nix-instantiate --eval'
2022-03-31 Scott WorleyNew git URLs
...
heads
4 months ago master