git.scottworley.com Git - auto-upgrade-with-pinch/blob - modules/auto-upgrade.nix

   1 { config, lib, pkgs, ... }:
   2 with lib;
   3 let cfg = config.system.autoUpgradeWithPinch;
   4 in {
   5   options = {
   6     system.autoUpgradeWithPinch = {
   7
   8       enable = mkOption {
   9         type = types.bool;
  10         default = false;
  11         description = ''
  12           Whether to periodically upgrade NixOS to the latest version.
  13           Presumes that /etc/nixos is a git repo with a remote and
  14           contains a pinch file called "channels".
  15         '';
  16       };
  17
  18       dates = mkOption {
  19         default = "04:40";
  20         type = types.str;
  21         description = ''
  22           Specification (in the format described by
  23           <citerefentry><refentrytitle>systemd.time</refentrytitle>
  24           <manvolnum>7</manvolnum></citerefentry>) of the time at
  25           which the update will occur.
  26         '';
  27       };
  28
  29       key = mkOption {
  30         type = types.path;
  31         description = ''
  32           GPG key that signs updates.  Updates are only merged if the commit
  33           at the tip of the remote branch is signed with this key.
  34         '';
  35       };
  36     };
  37   };
  38
  39   config = lib.mkIf cfg.enable {
  40     nixpkgs.overlays = [
  41       (import ../overlays/keyedgit.nix)
  42       (import ../overlays/pinch.nix)
  43     ];
  44     systemd.services.nixos-upgrade = {
  45       description = "NixOS Upgrade";
  46       restartIfChanged = false;
  47       unitConfig.X-StopOnRemoval = false;
  48       serviceConfig.Type = "oneshot";
  49       environment = config.nix.envVars // {
  50         inherit (config.environment.sessionVariables) NIX_PATH;
  51         HOME = "/root";
  52       } // config.networking.proxy.envVars;
  53
  54       path = with pkgs; [
  55         config.nix.package.out
  56         coreutils
  57         git
  58         gitMinimal
  59         gnutar
  60         gzip
  61         pinch
  62         xz.bin
  63       ];
  64
  65       script = ''
  66         set -e
  67
  68         # Chill for awhile before applying updates.  If applying an update
  69         # badly breaks things, we want a window in which an operator can
  70         # intervene either to fix the problem or disable automatic updates.
  71         sleep 2h
  72
  73         (
  74           cd /etc/nixos
  75           ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
  76           pinch update channels
  77         )
  78
  79         ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
  80       '';
  81
  82       startAt = cfg.dates;
  83     };
  84   };
  85 }