]> git.scottworley.com Git - auto-upgrade-with-pinch/blame_incremental - modules/auto-upgrade.nix
Safety-hatch: Initial delay
[auto-upgrade-with-pinch] / modules / auto-upgrade.nix
... / ...
CommitLineData
1{ config, lib, pkgs, ... }:
2with lib;
3let cfg = config.system.autoUpgradeWithPinch;
4in {
5 options = {
6 system.autoUpgradeWithPinch = {
7
8 enable = mkOption {
9 type = types.bool;
10 default = false;
11 description = ''
12 Whether to periodically upgrade NixOS to the latest version.
13 Presumes that /etc/nixos is a git repo with a remote and
14 contains a pinch file called "channels".
15 '';
16 };
17
18 dates = mkOption {
19 default = "04:40";
20 type = types.str;
21 description = ''
22 Specification (in the format described by
23 <citerefentry><refentrytitle>systemd.time</refentrytitle>
24 <manvolnum>7</manvolnum></citerefentry>) of the time at
25 which the update will occur.
26 '';
27 };
28
29 key = mkOption {
30 type = types.path;
31 description = ''
32 GPG key that signs updates. Updates are only merged if the commit
33 at the tip of the remote branch is signed with this key.
34 '';
35 };
36 };
37 };
38
39 config = lib.mkIf cfg.enable {
40 nixpkgs.overlays = [
41 (import ../overlays/keyedgit.nix)
42 (import ../overlays/pinch.nix)
43 ];
44 systemd.services.nixos-upgrade = {
45 description = "NixOS Upgrade";
46 restartIfChanged = false;
47 unitConfig.X-StopOnRemoval = false;
48 serviceConfig.Type = "oneshot";
49 environment = config.nix.envVars // {
50 inherit (config.environment.sessionVariables) NIX_PATH;
51 HOME = "/root";
52 } // config.networking.proxy.envVars;
53
54 path = with pkgs; [
55 config.nix.package.out
56 coreutils
57 git
58 gitMinimal
59 gnutar
60 gzip
61 pinch
62 xz.bin
63 ];
64
65 script = ''
66 set -e
67
68 # Chill for awhile before applying updates. If applying an update
69 # badly breaks things, we want a window in which an operator can
70 # intervene either to fix the problem or disable automatic updates.
71 sleep 2h
72
73 (
74 cd /etc/nixos
75 ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
76 pinch update channels
77 )
78
79 ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
80 '';
81
82 startAt = cfg.dates;
83 };
84 };
85}