]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - README.md
When becoming other users, cd to /
[auto-upgrade-with-pinch] / README.md
1 # auto-upgrade-with-[pinch](https://git.scottworley.com/pinch)
2
3 Automatically update a [NixOS](https://nixos.org/) machine from a remote
4 git repo.
5
6 The advantage of this over [NixOps](nixos.org/nixops) is in
7 authentication: NixOps requires granting a general-purpose administrator
8 credential for the machines under management to the actor pushing
9 the updates. This credential is intended to be used only for pushing
10 updates, but could be used for any other purpose. Reliably logging and
11 auditing what is done with this credential if it is used interactively
12 is extremely difficult.
13
14 This tool, on the other hand, only applies configuration changes
15 recorded in a git repository. This is transparent and easy to audit.
16 Configuration updates are pulled, not pushed. Configuration updates
17 must be signed (with normal git commit signatures). Force-pushed updates
18 are rejected. Additional policy can be easily enforced with normal git
19 repository control mechanisms, such as requiring code reviews.