]> git.scottworley.com Git - auto-upgrade-with-pinch/blame - README.md
Drop 22.11 support: Just use "nativeCheckInputs"
[auto-upgrade-with-pinch] / README.md
CommitLineData
15d7ea95
SW
1# auto-upgrade-with-[pinch](https://git.scottworley.com/pinch)
2
3Automatically update a [NixOS](https://nixos.org/) machine from a remote
4git repo.
5
6The advantage of this over [NixOps](nixos.org/nixops) is in
7authentication: NixOps requires granting a general-purpose administrator
8credential for the machines under management to the actor pushing
9the updates. This credential is intended to be used only for pushing
10updates, but could be used for any other purpose. Reliably logging and
11auditing what is done with this credential if it is used interactively
12is extremely difficult.
13
14This tool, on the other hand, only applies configuration changes
15recorded in a git repository. This is transparent and easy to audit.
16Configuration updates are pulled, not pushed. Configuration updates
17must be signed (with normal git commit signatures). Force-pushed updates
18are rejected. Additional policy can be easily enforced with normal git
19repository control mechanisms, such as requiring code reviews.