]> git.scottworley.com Git - auto-upgrade-with-pinch/blob - upgrade-config.nix
projects / auto-upgrade-with-pinch / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Narrow sudoers to runAs=root
[auto-upgrade-with-pinch] / upgrade-config.nix
1 {
2 upgradeConfig,
3 lib ? (import <nixpkgs> { }).lib,
4 }:
5 with lib;
6 evalModules {
7 modules = upgradeConfig ++ [
8 {
9 options = {
10
11 enable = mkOption {
12 type = types.bool;
13 default = false;
14 description = ''
15 Whether to periodically upgrade NixOS to the latest version.
16 Presumes that /etc/nixos is a git repo with a remote and
17 contains a pinch file called "channels".
18 '';
19 };
20
21 dates = mkOption {
22 default = "04:40";
23 type = types.str;
24 description = ''
25 Specification (in the format described by
26 <citerefentry><refentrytitle>systemd.time</refentrytitle>
27 <manvolnum>7</manvolnum></citerefentry>) of the time at
28 which the update will occur.
29 '';
30 };
31
32 repos = mkOption {
33 description = ''
34 Git repositories to pull before running pinch. These are maintained
35 as git checkouts at specified places in the filesystem with specified
36 ownership rather than kept read-only in the nix store so that humans
37 can use them both as points of intervention in the automation and to
38 author and push changes back up.
39 '';
40 default = { };
41 type = types.attrsOf (
42 types.submodule {
43 options = {
44 url = mkOption {
45 description = "Remote git repo.";
46 type = types.str;
47 };
48 remoteName = mkOption {
49 description = ''Name of the git remote. Customarily "origin".'';
50 type = types.str;
51 default = "origin";
52 };
53 onRemoteURLMismatch = mkOption {
54 description = ''
55 What to do if the remote URL in the git repo doesn't match the
56 URL configured here.
57 '';
58 type = types.enum [
59 "update"
60 "abort"
61 ];
62 default = "update";
63 };
64 onBranchMismatch = mkOption {
65 description = ''
66 What to do if a different branch is currently checked out.
67
68 (Changes from <literal>remoteBranch</literal> are only ever
69 merged into <literal>localBranch</literal>, so if a different
70 branch is checked out, no remote changes will be merged.)
71 '';
72 type = types.enum [
73 "continue"
74 "abort"
75 ];
76 default = "continue";
77 };
78 user = mkOption {
79 description = "User as which to run 'git fetch'";
80 type = types.str;
81 };
82 localBranch = mkOption {
83 description = "";
84 type = types.str;
85 default = "master";
86 };
87 remoteBranch = mkOption {
88 type = types.str;
89 default = "master";
90 };
91 requireSignature = mkOption {
92 type = types.bool;
93 default = true;
94 description = ''
95 Only pull when the tip of the remote ref is signed by a key
96 specifed in <literal>signingKeys</literal>.
97 '';
98 };
99 };
100 }
101 );
102 example = {
103 "/etc/nixos" = {
104 url = "https://github.com/chkno/auto-upgrade-demo-nixos";
105 user = "root";
106 signingKeys = [ ./admins.asc ];
107 };
108 "/home/alice/.config/nixpkgs" = {
109 url = "https://github.com/chkno/auto-upgrade-demo-user-nixpkgs";
110 user = "alice";
111 signingKeys = [
112 ./admins.asc
113 ./alice.asc
114 ];
115 };
116 };
117 };
118
119 pinchFiles = mkOption {
120 description = ''
121 Pinch files to use for channel updates. Typically these are inside
122 <literal>repos</literal>' paths.
123 '';
124 type = types.listOf types.path;
125 default = [ ];
126 example = [ "/etc/nixos/channels" ];
127 };
128
129 userEnvironments = mkOption {
130 description = ''
131 User environments to update as part of an upgrade run.
132 '';
133 default = { };
134 type = types.attrsOf (
135 types.submodule {
136 options = {
137 package = mkOption {
138 type = types.str;
139 default = "userPackages";
140 description = ''
141 The name of the single package that will be updated. You'll
142 want to create an 'entire user environment' package as shown in
143 https://nixos.wiki/wiki/FAQ#How_can_I_manage_software_with_nix-env_like_with_configuration.nix.3F
144 '';
145 };
146 otherPackagesAction = mkOption {
147 type = types.enum [
148 "remove"
149 "keep"
150 "abort"
151 ];
152 default = "remove";
153 description = ''
154 What to do with packages other than <literal>package</literal>.
155
156 THIS DEFAULTS TO "remove", WHICH IS POTENTIALLY SOMEWHAT
157 DESTRUCTIVE! This is the default because it is the recommended
158 setting -- This module recommends managing your environment
159 through your one entire-environment <literal>package</literal>.
160 This keeps your environment declarative and ensures that all
161 packages receive regular updates.
162 '';
163 # It seems like "upgrade" ought to be another choice here, powered
164 # by "nix-env --upgrade". But when I tried this, it didn't work.
165 };
166 };
167 }
168 );
169 example = {
170 alice = { };
171 };
172 };
173 };
174 }
175 ];
176 }
Automatic NixOS upgrades with pinch