]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - modules/auto-upgrade.nix
When becoming other users, cd to /
[auto-upgrade-with-pinch] / modules / auto-upgrade.nix
1 # auto-upgrade-with-pinch: Secure managed NixOS updates
2 #
3 # This program is free software: you can redistribute it and/or modify it
4 # under the terms of the GNU General Public License as published by the
5 # Free Software Foundation, version 3.
6
7 { config, lib, pkgs, ... }:
8 with lib;
9 let
10 local-pkgs = import ../. { inherit pkgs; };
11 cfg = config.system.autoUpgradeWithPinch;
12 pull-repo-script = pkgs.writeShellScript "pull-repo" ''
13 set -eo pipefail
14
15 path=$1
16 config=$2
17
18 prop() {
19 ${pkgs.jq}/bin/jq -r ".$1" <<< "$config"
20 }
21
22 echo Pulling in "$path" >&2
23
24 if [[ ! -e "$path" ]];then
25 d=$(mktemp -d)
26 ${pkgs.git}/bin/git init "$d"
27 ${pkgs.git}/bin/git -C "$d" checkout -b "$(prop localBranch)"
28 ${pkgs.git}/bin/git -C "$d" remote add "$(prop remoteName)" "$(prop url)"
29 ${pkgs.git}/bin/git -C "$d" branch -u "$(prop remoteBranch)"
30 mkdir -p "$(${pkgs.coreutils}/bin/dirname "$path")"
31 mv "$d" "$path"
32 fi
33
34 cd "$path"
35
36 if [[ "$(${pkgs.git}/bin/git remote get-url "$(prop remoteName)")" != "$(prop url)" ]]; then
37 echo Expected git remote "$(prop remoteName)" to point at "$(prop url)" \
38 but it points at "$(${pkgs.git}/bin/git remote get-url "$(prop remoteName)")" >&2
39 case "$(prop onRemoteURLMismatch)" in
40 abort) exit 1;;
41 update) echo Updating it >&2
42 ${pkgs.git}/bin/git -C "$d" remote set-url "$(prop remoteName)" "$(prop url)";;
43 esac
44 fi
45
46 ${pkgs.git}/bin/git fetch "$(prop remoteName)" "$(prop remoteBranch)"
47
48 if [[ "$(${pkgs.git}/bin/git rev-parse --abbrev-ref HEAD)" != "$(prop localBranch)" ]];then
49 echo Could not merge because currently-checked-out \
50 \""$(${pkgs.git}/bin/git rev-parse --abbrev-ref HEAD)"\" is not \
51 \""$(prop localBranch)"\"
52 case "$(prop onBranchMismatch)" in
53 abort) exit 1;;
54 continue) exit 0;;
55 esac
56 fi
57
58 if [[ "$(prop requireSignature)" == true ]]; then
59 ${pkgs.polite-merge}/bin/polite-merge \
60 -c gpg.program=${escapeShellArg (local-pkgs.keyed-gpg cfg.signingKeys)} \
61 merge --ff-only --verify-signatures
62 else
63 ${pkgs.polite-merge}/bin/polite-merge merge --ff-only
64 fi
65 '';
66
67 auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
68 ${pkgs.coreutils}/bin/nice -n 17 \
69 ${pkgs.util-linux}/bin/ionice -c 3 \
70 ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${
71 pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
72 set -eo pipefail
73
74 dry_run=false
75 pinch_args=()
76 if [[ "$1" == --dry-run ]];then
77 dry_run=true
78 pinch_args=( --dry-run )
79 fi
80
81 hydrate() {
82 if "$dry_run";then
83 echo "Would run: $*"
84 else
85 "$@"
86 fi
87 }
88
89 die() {
90 echo "$*" >&2
91 exit 1
92 }
93
94 in_tmpdir() {
95 d=$(${pkgs.coreutils}/bin/mktemp -d)
96 pushd "$d"
97 "$@"
98 popd
99 ${pkgs.coreutils}/bin/rm -r "$d"
100 }
101
102 ${optionalString (cfg.upgradeConfigOwnershipPolicy != "any") (''
103 verify_ownership() {
104 if [[ "$1" != /* ]];then
105 die "Unexpected relative path: $1"
106 fi
107 if [[ "$1" != / ]];then
108 verify_ownership "$(${pkgs.coreutils}/bin/dirname "$1")"
109 fi
110 if [[ ! -e "$1" ]];then
111 die "Could not find upgrade config: $1 does not exist"
112 fi
113 if [[ -h "$1" ]];then
114 verify_ownership "$(
115 ${pkgs.coreutils}/bin/realpath --no-symlinks \
116 "$(${pkgs.coreutils}/bin/dirname "$1")/$(${pkgs.coreutils}/bin/readlink "$1")"
117 )"
118 fi
119 perms="$(${pkgs.findutils}/bin/find "$1" -maxdepth 0 -printf "%M")"
120 if [[ "$perms" == d*t ]];then
121 die "Will not use upgrade config in sticky directory $1"
122 fi
123 owner=$(${pkgs.findutils}/bin/find "$1" -maxdepth 0 -printf "%u")
124 if [[ "$owner" != root ]];then
125 die "Will not use upgrade config not owned by root in $1"
126 fi
127 if [[ "$perms" == l* ]];then
128 return 0 # Root-owned symlinks are fine
129 fi
130 if [[ "$perms" == *w? ]];then
131 die "Will not use world-writable upgrade config in $1"
132 fi
133 ${
134 {
135 root = ''
136 if [[ "$perms" == *w???? ]];then
137 die "Will not use group-writable upgrade config in $1"
138 fi
139 '';
140 wheel = ''
141 if [[ "$perms" == *w???? ]];then
142 group=$(${pkgs.findutils}/bin/find "$1" -maxdepth 0 -printf "%g")
143 if [[ "$group" != wheel ]];then
144 die "Will not use non-wheel-group group-writable upgrade config in $1"
145 fi
146 fi
147 '';
148 }."${cfg.upgradeConfigOwnershipPolicy}"
149 }
150 }
151 ''
152 + concatMapStringsSep "\n" (f: "verify_ownership ${escapeShellArg f}")
153 cfg.upgradeConfig)}
154
155 config=$(${pkgs.nix}/bin/nix-instantiate --eval --strict --json -A config \
156 --arg upgradeConfig ${
157 escapeShellArg ("["
158 + lib.concatMapStringsSep " " lib.strings.escapeNixString
159 cfg.upgradeConfig + "]")
160 } ${../upgrade-config.nix})
161
162 config_query() {
163 ${pkgs.jq}/bin/jq -r "$@" <<< "$config"
164 }
165
166 repo_query() {
167 config_query --arg path "$1" ".repos[\$ARGS.named.path]$2"
168 }
169
170 userenv_query() {
171 config_query --arg user "$1" ".userEnvironments[\$ARGS.named.user]$2"
172 }
173
174 # Pull updates
175 while read path;do
176 hydrate /run/wrappers/bin/sudo -u "$(repo_query "$path" .user)" \
177 ${pull-repo-script} "$path" "$(repo_query "$path" "")"
178 done < <( config_query '.repos | keys []' )
179
180 # Update channels
181 config_query '.pinchFiles[]' | ${pkgs.findutils}/bin/xargs --no-run-if-empty --delimiter=\\n ${pkgs.pinch}/bin/pinch update "''${pinch_args[@]}"
182
183 # Build
184 in_tmpdir hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
185 while read user;do
186 hydrate /run/wrappers/bin/sudo -u "$user" -D / \
187 ${pkgs.nix}/bin/nix-build --no-out-link '<nixpkgs>' -A "$(userenv_query "$user" .package)"
188 done < <( config_query '.userEnvironments | keys []' )
189
190 # Install
191 hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
192 while read user;do
193 remove_arg=-r
194 if [[ "$(userenv_query "$user" .otherPackagesAction)" == keep ]];then
195 remove_arg=
196 fi
197 hydrate /run/wrappers/bin/sudo -u "$user" \
198 ${pkgs.nix}/bin/nix-env -f '<nixpkgs>' $remove_arg -iA "$(userenv_query "$user" .package)"
199 done < <( config_query '.userEnvironments | keys []' )
200 ''
201 }
202 '';
203
204 in {
205 options = {
206 system.autoUpgradeWithPinch = {
207
208 enable = mkOption {
209 type = types.bool;
210 default = false;
211 description = ''
212 Whether to periodically upgrade NixOS to the latest version.
213 Presumes that /etc/nixos is a git repo with a remote and
214 contains a pinch file called "channels".
215 '';
216 };
217
218 dates = mkOption {
219 default = "04:40";
220 type = types.str;
221 description = ''
222 Specification (in the format described by
223 <citerefentry><refentrytitle>systemd.time</refentrytitle>
224 <manvolnum>7</manvolnum></citerefentry>) of the time at
225 which the update will occur.
226 '';
227 };
228
229 signingKeys = mkOption {
230 type = types.listOf types.path;
231 description = ''
232 Files containing GPG keys that are authorized to sign updates.
233 Updates are only merged if the commit at the tip of the remote
234 ref is signed with one of these keys.
235 '';
236 };
237
238 upgradeConfig = mkOption {
239 type = types.listOf types.path;
240 description = ''
241 Configuration files that specify what git repo paths to pull, what
242 pinch files to update from, and what user environments to update.
243 These are specified in separate configuration files processed at
244 update time so that changes to this configuration take effect in
245 the same update cycle.
246 '';
247 };
248
249 upgradeConfigOwnershipPolicy = mkOption {
250 type = types.enum [ "root" "wheel" "any" ];
251 default = "root";
252 description = ''
253 Verify ownership of upgrade config files before using them for
254 system upgrades.
255
256 root = Config must be writable only by root.
257 wheel = Config must be writable only by root and wheel.
258 any = No checks. Not recommended.
259 '';
260 };
261 };
262 };
263
264 config = lib.mkIf cfg.enable {
265
266 security.sudo.extraRules = lib.mkAfter [{
267 groups = [ "users" ];
268 commands = [{
269 command = "${auto-upgrade-script}";
270 options = [ "NOPASSWD" "NOSETENV" ];
271 }];
272 }];
273 # NOSETENV above still allows through ~17 vars, including PATH. Block those
274 # as well:
275 security.sudo.extraConfig = ''
276 Defaults!${auto-upgrade-script} !env_check
277 Defaults!${auto-upgrade-script} !env_keep
278 '';
279
280 nixpkgs.overlays = [
281 (import ../overlays/pinch.nix)
282 (import ../overlays/polite-merge.nix)
283 (self: super: {
284 auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
285 /run/wrappers/bin/sudo ${auto-upgrade-script}
286 '';
287 })
288 ];
289
290 environment.systemPackages = [ pkgs.auto-upgrade ];
291
292 systemd.services.nixos-upgrade = {
293 description = "NixOS Upgrade";
294 restartIfChanged = false;
295 unitConfig.X-StopOnRemoval = false;
296 serviceConfig.Type = "oneshot";
297 environment = config.nix.envVars // {
298 inherit (config.environment.sessionVariables) NIX_PATH;
299 HOME = "/root";
300 } // config.networking.proxy.envVars;
301
302 path = with pkgs; [
303 config.nix.package.out
304 coreutils
305 git
306 gitMinimal
307 gnutar
308 gzip
309 xz.bin
310 ];
311
312 script = ''
313 set -eo pipefail
314
315 # Chill for awhile before applying updates. If applying an update
316 # badly breaks things, we want a window in which an operator can
317 # intervene either to fix the problem or disable automatic updates.
318 sleep 2h
319
320 ${auto-upgrade-script}
321 '';
322
323 startAt = cfg.dates;
324 };
325 };
326 }