]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - modules/auto-upgrade.nix
2326eccfd7c1c52bcac2e9a539fa7db0953fd160
[auto-upgrade-with-pinch] / modules / auto-upgrade.nix
1 { config, lib, pkgs, ... }:
2 with lib;
3 let cfg = config.system.autoUpgradeWithPinch;
4 in {
5 options = {
6 system.autoUpgradeWithPinch = {
7
8 enable = mkOption {
9 type = types.bool;
10 default = false;
11 description = ''
12 Whether to periodically upgrade NixOS to the latest version.
13 Presumes that /etc/nixos is a git repo with a remote and
14 contains a pinch file called "channels".
15 '';
16 };
17
18 dates = mkOption {
19 default = "04:40";
20 type = types.str;
21 description = ''
22 Specification (in the format described by
23 <citerefentry><refentrytitle>systemd.time</refentrytitle>
24 <manvolnum>7</manvolnum></citerefentry>) of the time at
25 which the update will occur.
26 '';
27 };
28
29 key = mkOption {
30 type = types.path;
31 description = ''
32 GPG key that signs updates. Updates are only merged if the commit
33 at the tip of the remote branch is signed with this key.
34 '';
35 };
36 };
37 };
38
39 config = lib.mkIf cfg.enable {
40 nixpkgs.overlays = [
41 (import ../overlays/keyedgit.nix)
42 (import ../overlays/pinch.nix)
43 (self: super: {
44 auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
45 flock /run/auto-upgrade-with-pinch ${super.writeShellScript "auto-upgrade-with-lock-held" ''
46 set -e
47 (
48 cd /etc/nixos
49 ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
50 ${self.pinch}/bin/pinch update channels
51 )
52
53 ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
54 ''}
55 '';
56 })
57 ];
58
59 environment.systemPackages = [ pkgs.auto-upgrade ];
60
61 systemd.services.nixos-upgrade = {
62 description = "NixOS Upgrade";
63 restartIfChanged = false;
64 unitConfig.X-StopOnRemoval = false;
65 serviceConfig.Type = "oneshot";
66 environment = config.nix.envVars // {
67 inherit (config.environment.sessionVariables) NIX_PATH;
68 HOME = "/root";
69 } // config.networking.proxy.envVars;
70
71 path = with pkgs; [
72 config.nix.package.out
73 coreutils
74 git
75 gitMinimal
76 gnutar
77 gzip
78 xz.bin
79 ];
80
81 script = ''
82 set -e
83
84 # Chill for awhile before applying updates. If applying an update
85 # badly breaks things, we want a window in which an operator can
86 # intervene either to fix the problem or disable automatic updates.
87 sleep 2h
88
89 ${pkgs.auto-upgrade}/bin/auto-upgrade
90 '';
91
92 startAt = cfg.dates;
93 };
94 };
95 }