| | 1 | # auto-upgrade-with-[pinch](https://git.scottworley.com/pinch) |
| | 2 | |
| | 3 | Automatically update a [NixOS](https://nixos.org/) machine from a remote |
| | 4 | git repo. |
| | 5 | |
| | 6 | The advantage of this over [NixOps](nixos.org/nixops) is in |
| | 7 | authentication: NixOps requires granting a general-purpose administrator |
| | 8 | credential for the machines under management to the actor pushing |
| | 9 | the updates. This credential is intended to be used only for pushing |
| | 10 | updates, but could be used for any other purpose. Reliably logging and |
| | 11 | auditing what is done with this credential if it is used interactively |
| | 12 | is extremely difficult. |
| | 13 | |
| | 14 | This tool, on the other hand, only applies configuration changes |
| | 15 | recorded in a git repository. This is transparent and easy to audit. |
| | 16 | Configuration updates are pulled, not pushed. Configuration updates |
| | 17 | must be signed (with normal git commit signatures). Force-pushed updates |
| | 18 | are rejected. Additional policy can be easily enforced with normal git |
| | 19 | repository control mechanisms, such as requiring code reviews. |
projects / auto-upgrade-with-pinch / blame_incremental