[auto-upgrade-with-pinch] / modules / auto-upgrade.nix

{ config, lib, pkgs, ... }:
with lib;
let
  cfg = config.system.autoUpgradeWithPinch;
  auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
    ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
      pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
        set -e

        in_tmpdir() {
          d=$(mktemp -d)
          pushd "$d"
          "$@"
          popd
          rm -r "$d"
        }

        as_user() {
          ${
            if cfg.userEnvironment.enable then ''
              /run/wrappers/bin/sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
            '' else ''
              :
            ''
          }
        }

        # Update channels
        (
          cd /etc/nixos
          ${pkgs.keyedgit cfg.keys}/bin/git pull --ff-only --verify-signatures
          ${pkgs.pinch}/bin/pinch update channels
        )

        # Build
        in_tmpdir ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
        as_user nix-build --no-out-link '<nixpkgs>' -A ${
          escapeShellArg cfg.userEnvironment.package
        }

        # Install
        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
        as_user nix-env -f '<nixpkgs>' -riA ${
          escapeShellArg cfg.userEnvironment.package
        }
      ''
    }
  '';
in {
  options = {
    system.autoUpgradeWithPinch = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to periodically upgrade NixOS to the latest version.
          Presumes that /etc/nixos is a git repo with a remote and
          contains a pinch file called "channels".
        '';
      };

      dates = mkOption {
        default = "04:40";
        type = types.str;
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the update will occur.
        '';
      };

      keys = mkOption {
        type = types.path;
        description = ''
          File containing GPG keys that sign updates.  Updates are only merged
          if the commit at the tip of the remote branch is signed with one of
          these keys.
        '';
      };

      userEnvironment = {
        enable = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Whether to update a user-environment as well.  This update is done
            with nix-env -riA.  Note the -r!  I.e., ALL OTHER PACKAGES INSTALLED
            WITH nix-env WILL BE DELETED!

            This presumes that you have configured an "entire user environment"
            package as shown in
            https://nixos.wiki/wiki/FAQ#How_can_I_manage_software_with_nix-env_like_with_configuration.nix.3F

            To check if you're set up for this, run "nix-env --query".  If it
            only lists one package, you're good to go.
          '';
        };

        user = mkOption {
          type = types.str;
          description = ''
            The username of the user whose environment should be updated.
          '';
        };

        package = mkOption {
          type = types.str;
          example = "nixos.userPackages";
          description = ''
            The name of the single package that is the user's entire environment.
          '';
        };

      };
    };
  };

  config = lib.mkIf cfg.enable {

    security.sudo.extraRules = lib.mkAfter [{
      groups = [ "users" ];
      commands = [{
        command = "${auto-upgrade-script}";
        options = [ "NOPASSWD" "NOSETENV" ];
      }];
    }];
    # NOSETENV above still allows through ~17 vars, including PATH.  Block those
    # as well:
    security.sudo.extraConfig = ''
      Defaults!${auto-upgrade-script} !env_check
      Defaults!${auto-upgrade-script} !env_keep
    '';

    nixpkgs.overlays = [
      (import ../overlays/keyedgit.nix)
      (import ../overlays/pinch.nix)
      (self: super: {
        auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
          /run/wrappers/bin/sudo ${auto-upgrade-script}
        '';
      })
    ];

    environment.systemPackages = [ pkgs.auto-upgrade ];

    systemd.services.nixos-upgrade = {
      description = "NixOS Upgrade";
      restartIfChanged = false;
      unitConfig.X-StopOnRemoval = false;
      serviceConfig.Type = "oneshot";
      environment = config.nix.envVars // {
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
      } // config.networking.proxy.envVars;

      path = with pkgs; [
        config.nix.package.out
        coreutils
        git
        gitMinimal
        gnutar
        gzip
        xz.bin
      ];

      script = ''
        set -e

        # Chill for awhile before applying updates.  If applying an update
        # badly breaks things, we want a window in which an operator can
        # intervene either to fix the problem or disable automatic updates.
        sleep 2h

        # Wait until outside business hours
        now=$(date +%s)
        day_of_week=$(date +%u)
        business_start=$(date -d  8:00 +%s)
        business_end=$(  date -d 17:00 +%s)
        if (( day_of_week <= 5 && now > business_start && now < business_end ));then
          delay=$((business_end - now))
          echo "Waiting $delay seconds so we don't upgrade during business hours" >&2
          sleep "$delay"
        fi

        ${auto-upgrade-script}
      '';

      startAt = cfg.dates;
    };

    assertions = [{
      assertion = cfg.userEnvironment.enable -> cfg.enable;
      message =
        "User environment upgrades cannot yet be enabled separately from system upgrades.";
    }];
  };
}
Commit	Line	Data
901670f5 SW	1	{ config, lib, pkgs, ... }:
901670f5 SW	2	with lib;
364c110c SW	3	let
	4	cfg = config.system.autoUpgradeWithPinch;
	5	auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
2b58720b	6	${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
364c110c SW	7	pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
364c110c SW	8	set -e
eb0fa99c SW	9
	10	in_tmpdir() {
	11	d=$(mktemp -d)
	12	pushd "$d"
	13	"$@"
	14	popd
	15	rm -r "$d"
	16	}
	17
	18	as_user() {
	19	${
	20	if cfg.userEnvironment.enable then ''
4acf153c	21	/run/wrappers/bin/sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
eb0fa99c SW	22	'' else ''
	23	:
	24	''
	25	}
	26	}
	27
	28	# Update channels
364c110c SW	29	(
364c110c SW	30	cd /etc/nixos
9d0c0d71	31	${pkgs.keyedgit cfg.keys}/bin/git pull --ff-only --verify-signatures
364c110c SW	32	${pkgs.pinch}/bin/pinch update channels
	33	)
	34
eb0fa99c SW	35	# Build
eb0fa99c SW	36	in_tmpdir ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
b972908a	37	as_user nix-build --no-out-link '<nixpkgs>' -A ${
eb0fa99c SW	38	escapeShellArg cfg.userEnvironment.package
	39	}
	40
	41	# Install
	42	${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
	43	as_user nix-env -f '<nixpkgs>' -riA ${
	44	escapeShellArg cfg.userEnvironment.package
	45	}
364c110c SW	46	''
	47	}
	48	'';
901670f5 SW	49	in {
	50	options = {
	51	system.autoUpgradeWithPinch = {
	52
	53	enable = mkOption {
	54	type = types.bool;
	55	default = false;
	56	description = ''
	57	Whether to periodically upgrade NixOS to the latest version.
	58	Presumes that /etc/nixos is a git repo with a remote and
	59	contains a pinch file called "channels".
	60	'';
	61	};
	62
	63	dates = mkOption {
	64	default = "04:40";
	65	type = types.str;
	66	description = ''
	67	Specification (in the format described by
	68	<citerefentry><refentrytitle>systemd.time</refentrytitle>
	69	<manvolnum>7</manvolnum></citerefentry>) of the time at
	70	which the update will occur.
	71	'';
	72	};
d8537205	73
9d0c0d71	74	keys = mkOption {
d8537205 SW	75	type = types.path;
d8537205 SW	76	description = ''
9d0c0d71 SW	77	File containing GPG keys that sign updates. Updates are only merged
	78	if the commit at the tip of the remote branch is signed with one of
	79	these keys.
d8537205 SW	80	'';
d8537205 SW	81	};
eb0fa99c SW	82
	83	userEnvironment = {
	84	enable = mkOption {
	85	type = types.bool;
	86	default = false;
	87	description = ''
	88	Whether to update a user-environment as well. This update is done
	89	with nix-env -riA. Note the -r! I.e., ALL OTHER PACKAGES INSTALLED
	90	WITH nix-env WILL BE DELETED!
	91
	92	This presumes that you have configured an "entire user environment"
	93	package as shown in
	94	https://nixos.wiki/wiki/FAQ#How_can_I_manage_software_with_nix-env_like_with_configuration.nix.3F
	95
	96	To check if you're set up for this, run "nix-env --query". If it
	97	only lists one package, you're good to go.
	98	'';
	99	};
	100
	101	user = mkOption {
	102	type = types.str;
	103	description = ''
	104	The username of the user whose environment should be updated.
	105	'';
	106	};
	107
	108	package = mkOption {
	109	type = types.str;
	110	example = "nixos.userPackages";
	111	description = ''
	112	The name of the single package that is the user's entire environment.
	113	'';
	114	};
	115
	116	};
901670f5 SW	117	};
	118	};
	119
	120	config = lib.mkIf cfg.enable {
364c110c SW	121
	122	security.sudo.extraRules = lib.mkAfter [{
	123	groups = [ "users" ];
	124	commands = [{
	125	command = "${auto-upgrade-script}";
	126	options = [ "NOPASSWD" "NOSETENV" ];
	127	}];
	128	}];
	129	# NOSETENV above still allows through ~17 vars, including PATH. Block those
	130	# as well:
	131	security.sudo.extraConfig = ''
	132	Defaults!${auto-upgrade-script} !env_check
	133	Defaults!${auto-upgrade-script} !env_keep
	134	'';
	135
d8537205 SW	136	nixpkgs.overlays = [
	137	(import ../overlays/keyedgit.nix)
	138	(import ../overlays/pinch.nix)
5aaf4680 SW	139	(self: super: {
5aaf4680 SW	140	auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
4acf153c	141	/run/wrappers/bin/sudo ${auto-upgrade-script}
5aaf4680 SW	142	'';
5aaf4680 SW	143	})
d8537205	144	];
5aaf4680 SW	145
	146	environment.systemPackages = [ pkgs.auto-upgrade ];
	147
901670f5 SW	148	systemd.services.nixos-upgrade = {
	149	description = "NixOS Upgrade";
	150	restartIfChanged = false;
	151	unitConfig.X-StopOnRemoval = false;
	152	serviceConfig.Type = "oneshot";
	153	environment = config.nix.envVars // {
	154	inherit (config.environment.sessionVariables) NIX_PATH;
	155	HOME = "/root";
	156	} // config.networking.proxy.envVars;
	157
	158	path = with pkgs; [
	159	config.nix.package.out
	160	coreutils
	161	git
	162	gitMinimal
	163	gnutar
	164	gzip
901670f5 SW	165	xz.bin
	166	];
	167
	168	script = ''
	169	set -e
8569b965 SW	170
	171	# Chill for awhile before applying updates. If applying an update
	172	# badly breaks things, we want a window in which an operator can
	173	# intervene either to fix the problem or disable automatic updates.
	174	sleep 2h
	175
f43ffe15 SW	176	# Wait until outside business hours
	177	now=$(date +%s)
	178	day_of_week=$(date +%u)
	179	business_start=$(date -d 8:00 +%s)
	180	business_end=$( date -d 17:00 +%s)
	181	if (( day_of_week <= 5 && now > business_start && now < business_end ));then
	182	delay=$((business_end - now))
	183	echo "Waiting $delay seconds so we don't upgrade during business hours" >&2
	184	sleep "$delay"
	185	fi
	186
364c110c	187	${auto-upgrade-script}
901670f5 SW	188	'';
	189
	190	startAt = cfg.dates;
	191	};
eb0fa99c SW	192
	193	assertions = [{
	194	assertion = cfg.userEnvironment.enable -> cfg.enable;
	195	message =
	196	"User environment upgrades cannot yet be enabled separately from system upgrades.";
	197	}];
901670f5 SW	198	};
901670f5 SW	199	}