1 { upgradeConfig, lib ? (import <nixpkgs> { }).lib, }:
4 modules = upgradeConfig ++ [{
11 Whether to periodically upgrade NixOS to the latest version.
12 Presumes that /etc/nixos is a git repo with a remote and
13 contains a pinch file called "channels".
21 Specification (in the format described by
22 <citerefentry><refentrytitle>systemd.time</refentrytitle>
23 <manvolnum>7</manvolnum></citerefentry>) of the time at
24 which the update will occur.
30 Git repositories to pull before running pinch. These are maintained
31 as git checkouts at specified places in the filesystem with specified
32 ownership rather than kept read-only in the nix store so that humans
33 can use them both as points of intervention in the automation and to
34 author and push changes back up.
36 type = types.attrsOf (types.submodule {
39 description = "Remote git repo.";
42 remoteName = mkOption {
43 description = ''Name of the git remote. Customarily "origin".'';
47 onRemoteURLMismatch = mkOption {
49 What to do if the remote URL in the git repo doesn't match the
52 type = types.enum [ "update" "abort" ];
55 onBranchMismatch = mkOption {
57 What to do if a different branch is currently checked out.
59 (Changes from <literal>remoteBranch</literal> are only ever
60 merged into <literal>localBranch</literal>, so if a different
61 branch is checked out, no remote changes will be merged.)
63 type = types.enum [ "continue" "abort" ];
67 description = "User as which to run 'git fetch'";
70 localBranch = mkOption {
75 remoteBranch = mkOption {
79 requireSignature = mkOption {
83 Only pull when the tip of the remote ref is signed by a key
84 specifed in <literal>signingKeys</literal>.
87 signingKeys = mkOption {
88 type = types.listOf types.path;
90 Files containing GPG keys that are authorized to sign updates.
91 Updates are only merged if the commit at the tip of the remote
92 ref is signed with one of these keys.
99 url = "https://github.com/chkno/auto-upgrade-demo-nixos";
101 signingKeys = [ ./admins.asc ];
103 "/home/alice/.config/nixpkgs" = {
104 url = "https://github.com/chkno/auto-upgrade-demo-user-nixpkgs";
106 signingKeys = [ ./admins.asc ./alice.asc ];
111 pinchFiles = mkOption {
113 Pinch files to use for channel updates. Typically these are inside
114 <literal>repos</literal>' paths.
116 type = types.listOf types.path;
117 example = [ "/etc/nixos/channels" ];
120 userEnvironments = mkOption {
122 User environments to update as part of an upgrade run.
124 type = types.attrsOf (types.submodule {
128 default = "userPackages";
130 The name of the single package that will be updated. You'll
131 want to create an 'entire user environment' package as shown in
132 https://nixos.wiki/wiki/FAQ#How_can_I_manage_software_with_nix-env_like_with_configuration.nix.3F
135 otherPackagesAction = mkOption {
136 type = types.enum [ "remove" "keep" "abort" ];
139 What to do with packages other than <literal>package</literal>.
141 THIS DEFAULTS TO "remove", WHICH IS POTENTIALLY SOMEWHAT
142 DESTRUCTIVE! This is the default because it is the recommended
143 setting -- This module recommends managing your environment
144 through your one entire-environment <literal>package</literal>.
145 This keeps your environment declarative and ensures that all
146 packages receive regular updates.
148 # It seems like "upgrade" ought to be another choice here, powered
149 # by "nix-env --upgrade". But when I tried this, it didn't work.
153 example = { alice = { }; };
projects / auto-upgrade-with-pinch / blob