]>
Commit | Line | Data |
---|---|---|
901670f5 SW |
1 | { config, lib, pkgs, ... }: |
2 | with lib; | |
3 | let cfg = config.system.autoUpgradeWithPinch; | |
4 | in { | |
5 | options = { | |
6 | system.autoUpgradeWithPinch = { | |
7 | ||
8 | enable = mkOption { | |
9 | type = types.bool; | |
10 | default = false; | |
11 | description = '' | |
12 | Whether to periodically upgrade NixOS to the latest version. | |
13 | Presumes that /etc/nixos is a git repo with a remote and | |
14 | contains a pinch file called "channels". | |
15 | ''; | |
16 | }; | |
17 | ||
18 | dates = mkOption { | |
19 | default = "04:40"; | |
20 | type = types.str; | |
21 | description = '' | |
22 | Specification (in the format described by | |
23 | <citerefentry><refentrytitle>systemd.time</refentrytitle> | |
24 | <manvolnum>7</manvolnum></citerefentry>) of the time at | |
25 | which the update will occur. | |
26 | ''; | |
27 | }; | |
d8537205 SW |
28 | |
29 | key = mkOption { | |
30 | type = types.path; | |
31 | description = '' | |
32 | GPG key that signs updates. Updates are only merged if the commit | |
33 | at the tip of the remote branch is signed with this key. | |
34 | ''; | |
35 | }; | |
901670f5 SW |
36 | }; |
37 | }; | |
38 | ||
39 | config = lib.mkIf cfg.enable { | |
d8537205 SW |
40 | nixpkgs.overlays = [ |
41 | (import ../overlays/keyedgit.nix) | |
42 | (import ../overlays/pinch.nix) | |
5aaf4680 SW |
43 | (self: super: { |
44 | auto-upgrade = super.writeShellScriptBin "auto-upgrade" '' | |
d0944935 SW |
45 | flock /run/auto-upgrade-with-pinch ${super.writeShellScript "auto-upgrade-with-lock-held" '' |
46 | set -e | |
47 | ( | |
48 | cd /etc/nixos | |
49 | ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures | |
50 | ${self.pinch}/bin/pinch update channels | |
51 | ) | |
5aaf4680 | 52 | |
d0944935 SW |
53 | ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output |
54 | ''} | |
5aaf4680 SW |
55 | ''; |
56 | }) | |
d8537205 | 57 | ]; |
5aaf4680 SW |
58 | |
59 | environment.systemPackages = [ pkgs.auto-upgrade ]; | |
60 | ||
901670f5 SW |
61 | systemd.services.nixos-upgrade = { |
62 | description = "NixOS Upgrade"; | |
63 | restartIfChanged = false; | |
64 | unitConfig.X-StopOnRemoval = false; | |
65 | serviceConfig.Type = "oneshot"; | |
66 | environment = config.nix.envVars // { | |
67 | inherit (config.environment.sessionVariables) NIX_PATH; | |
68 | HOME = "/root"; | |
69 | } // config.networking.proxy.envVars; | |
70 | ||
71 | path = with pkgs; [ | |
72 | config.nix.package.out | |
73 | coreutils | |
74 | git | |
75 | gitMinimal | |
76 | gnutar | |
77 | gzip | |
901670f5 SW |
78 | xz.bin |
79 | ]; | |
80 | ||
81 | script = '' | |
82 | set -e | |
8569b965 SW |
83 | |
84 | # Chill for awhile before applying updates. If applying an update | |
85 | # badly breaks things, we want a window in which an operator can | |
86 | # intervene either to fix the problem or disable automatic updates. | |
87 | sleep 2h | |
88 | ||
5aaf4680 | 89 | ${pkgs.auto-upgrade}/bin/auto-upgrade |
901670f5 SW |
90 | ''; |
91 | ||
92 | startAt = cfg.dates; | |
93 | }; | |
94 | }; | |
95 | } |