]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - upgrade-config.nix
When becoming other users, cd to / with pushd, not sudo -D
[auto-upgrade-with-pinch] / upgrade-config.nix
1 { upgradeConfig, lib ? (import <nixpkgs> { }).lib, }:
2 with lib;
3 evalModules {
4 modules = upgradeConfig ++ [{
5 options = {
6
7 enable = mkOption {
8 type = types.bool;
9 default = false;
10 description = ''
11 Whether to periodically upgrade NixOS to the latest version.
12 Presumes that /etc/nixos is a git repo with a remote and
13 contains a pinch file called "channels".
14 '';
15 };
16
17 dates = mkOption {
18 default = "04:40";
19 type = types.str;
20 description = ''
21 Specification (in the format described by
22 <citerefentry><refentrytitle>systemd.time</refentrytitle>
23 <manvolnum>7</manvolnum></citerefentry>) of the time at
24 which the update will occur.
25 '';
26 };
27
28 repos = mkOption {
29 description = ''
30 Git repositories to pull before running pinch. These are maintained
31 as git checkouts at specified places in the filesystem with specified
32 ownership rather than kept read-only in the nix store so that humans
33 can use them both as points of intervention in the automation and to
34 author and push changes back up.
35 '';
36 default = { };
37 type = types.attrsOf (types.submodule {
38 options = {
39 url = mkOption {
40 description = "Remote git repo.";
41 type = types.str;
42 };
43 remoteName = mkOption {
44 description = ''Name of the git remote. Customarily "origin".'';
45 type = types.str;
46 default = "origin";
47 };
48 onRemoteURLMismatch = mkOption {
49 description = ''
50 What to do if the remote URL in the git repo doesn't match the
51 URL configured here.
52 '';
53 type = types.enum [ "update" "abort" ];
54 default = "update";
55 };
56 onBranchMismatch = mkOption {
57 description = ''
58 What to do if a different branch is currently checked out.
59
60 (Changes from <literal>remoteBranch</literal> are only ever
61 merged into <literal>localBranch</literal>, so if a different
62 branch is checked out, no remote changes will be merged.)
63 '';
64 type = types.enum [ "continue" "abort" ];
65 default = "continue";
66 };
67 user = mkOption {
68 description = "User as which to run 'git fetch'";
69 type = types.str;
70 };
71 localBranch = mkOption {
72 description = "";
73 type = types.str;
74 default = "master";
75 };
76 remoteBranch = mkOption {
77 type = types.str;
78 default = "master";
79 };
80 requireSignature = mkOption {
81 type = types.bool;
82 default = true;
83 description = ''
84 Only pull when the tip of the remote ref is signed by a key
85 specifed in <literal>signingKeys</literal>.
86 '';
87 };
88 };
89 });
90 example = {
91 "/etc/nixos" = {
92 url = "https://github.com/chkno/auto-upgrade-demo-nixos";
93 user = "root";
94 signingKeys = [ ./admins.asc ];
95 };
96 "/home/alice/.config/nixpkgs" = {
97 url = "https://github.com/chkno/auto-upgrade-demo-user-nixpkgs";
98 user = "alice";
99 signingKeys = [ ./admins.asc ./alice.asc ];
100 };
101 };
102 };
103
104 pinchFiles = mkOption {
105 description = ''
106 Pinch files to use for channel updates. Typically these are inside
107 <literal>repos</literal>' paths.
108 '';
109 type = types.listOf types.path;
110 default = [ ];
111 example = [ "/etc/nixos/channels" ];
112 };
113
114 userEnvironments = mkOption {
115 description = ''
116 User environments to update as part of an upgrade run.
117 '';
118 default = { };
119 type = types.attrsOf (types.submodule {
120 options = {
121 package = mkOption {
122 type = types.str;
123 default = "userPackages";
124 description = ''
125 The name of the single package that will be updated. You'll
126 want to create an 'entire user environment' package as shown in
127 https://nixos.wiki/wiki/FAQ#How_can_I_manage_software_with_nix-env_like_with_configuration.nix.3F
128 '';
129 };
130 otherPackagesAction = mkOption {
131 type = types.enum [ "remove" "keep" "abort" ];
132 default = "remove";
133 description = ''
134 What to do with packages other than <literal>package</literal>.
135
136 THIS DEFAULTS TO "remove", WHICH IS POTENTIALLY SOMEWHAT
137 DESTRUCTIVE! This is the default because it is the recommended
138 setting -- This module recommends managing your environment
139 through your one entire-environment <literal>package</literal>.
140 This keeps your environment declarative and ensures that all
141 packages receive regular updates.
142 '';
143 # It seems like "upgrade" ought to be another choice here, powered
144 # by "nix-env --upgrade". But when I tried this, it didn't work.
145 };
146 };
147 });
148 example = { alice = { }; };
149 };
150 };
151 }];
152 }