git.scottworley.com Git - auto-upgrade-with-pinch/blob - modules/auto-upgrade.nix

   1 { config, lib, pkgs, ... }:
   2 with lib;
   3 let cfg = config.system.autoUpgradeWithPinch;
   4 in {
   5   options = {
   6     system.autoUpgradeWithPinch = {
   7
   8       enable = mkOption {
   9         type = types.bool;
  10         default = false;
  11         description = ''
  12           Whether to periodically upgrade NixOS to the latest version.
  13           Presumes that /etc/nixos is a git repo with a remote and
  14           contains a pinch file called "channels".
  15         '';
  16       };
  17
  18       dates = mkOption {
  19         default = "04:40";
  20         type = types.str;
  21         description = ''
  22           Specification (in the format described by
  23           <citerefentry><refentrytitle>systemd.time</refentrytitle>
  24           <manvolnum>7</manvolnum></citerefentry>) of the time at
  25           which the update will occur.
  26         '';
  27       };
  28
  29       key = mkOption {
  30         type = types.path;
  31         description = ''
  32           GPG key that signs updates.  Updates are only merged if the commit
  33           at the tip of the remote branch is signed with this key.
  34         '';
  35       };
  36     };
  37   };
  38
  39   config = lib.mkIf cfg.enable {
  40     nixpkgs.overlays = [
  41       (import ../overlays/keyedgit.nix)
  42       (import ../overlays/pinch.nix)
  43       (self: super: {
  44         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
  45         set -e
  46         (
  47           cd /etc/nixos
  48           ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
  49           ${self.pinch}/bin/pinch update channels
  50         )
  51
  52         ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
  53         '';
  54       })
  55     ];
  56
  57     environment.systemPackages = [ pkgs.auto-upgrade ];
  58
  59     systemd.services.nixos-upgrade = {
  60       description = "NixOS Upgrade";
  61       restartIfChanged = false;
  62       unitConfig.X-StopOnRemoval = false;
  63       serviceConfig.Type = "oneshot";
  64       environment = config.nix.envVars // {
  65         inherit (config.environment.sessionVariables) NIX_PATH;
  66         HOME = "/root";
  67       } // config.networking.proxy.envVars;
  68
  69       path = with pkgs; [
  70         config.nix.package.out
  71         coreutils
  72         git
  73         gitMinimal
  74         gnutar
  75         gzip
  76         xz.bin
  77       ];
  78
  79       script = ''
  80         set -e
  81
  82         # Chill for awhile before applying updates.  If applying an update
  83         # badly breaks things, we want a window in which an operator can
  84         # intervene either to fix the problem or disable automatic updates.
  85         sleep 2h
  86
  87         ${pkgs.auto-upgrade}/bin/auto-upgrade
  88       '';
  89
  90       startAt = cfg.dates;
  91     };
  92   };
  93 }