with lib;
let
cfg = config.system.autoUpgradeWithPinch;
+ pull-repo-snippet = ''
+ (
+ cd /etc/nixos
+ ${pkgs.git}/bin/git fetch
+ PATH="${pkgs.keyedgit cfg.keys}/bin:$PATH" \
+ ${pkgs.polite-merge}/bin/polite-merge --ff-only --verify-signatures
+ )
+ '';
+
auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
- flock /run/auto-upgrade-with-pinch ${
+ ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
set -e
- (
- cd /etc/nixos
- ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
- ${pkgs.pinch}/bin/pinch update channels
- )
- ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
+ in_tmpdir() {
+ d=$(mktemp -d)
+ pushd "$d"
+ "$@"
+ popd
+ rm -r "$d"
+ }
+
+ as_user() {
+ ${
+ if cfg.userEnvironment.enable then ''
+ /run/wrappers/bin/sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
+ '' else ''
+ :
+ ''
+ }
+ }
+
+ # Pull updates
+ ${pull-repo-snippet}
+
+ # Update channels
+ ${pkgs.pinch}/bin/pinch update /etc/nixos/channels
+
+ # Build
+ in_tmpdir ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
+ as_user nix-build --no-out-link '<nixpkgs>' -A ${
+ escapeShellArg cfg.userEnvironment.package
+ }
+
+ # Install
+ ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
+ as_user nix-env -f '<nixpkgs>' -riA ${
+ escapeShellArg cfg.userEnvironment.package
+ }
''
}
'';
'';
};
- key = mkOption {
+ keys = mkOption {
type = types.path;
description = ''
- GPG key that signs updates. Updates are only merged if the commit
- at the tip of the remote branch is signed with this key.
+ File containing GPG keys that sign updates. Updates are only merged
+ if the commit at the tip of the remote branch is signed with one of
+ these keys.
'';
};
+
+ userEnvironment = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to update a user-environment as well. This update is done
+ with nix-env -riA. Note the -r! I.e., ALL OTHER PACKAGES INSTALLED
+ WITH nix-env WILL BE DELETED!
+
+ This presumes that you have configured an "entire user environment"
+ package as shown in
+ https://nixos.wiki/wiki/FAQ#How_can_I_manage_software_with_nix-env_like_with_configuration.nix.3F
+
+ To check if you're set up for this, run "nix-env --query". If it
+ only lists one package, you're good to go.
+ '';
+ };
+
+ user = mkOption {
+ type = types.str;
+ description = ''
+ The username of the user whose environment should be updated.
+ '';
+ };
+
+ package = mkOption {
+ type = types.str;
+ example = "nixos.userPackages";
+ description = ''
+ The name of the single package that is the user's entire environment.
+ '';
+ };
+
+ };
};
};
nixpkgs.overlays = [
(import ../overlays/keyedgit.nix)
(import ../overlays/pinch.nix)
+ (import ../overlays/polite-merge.nix)
(self: super: {
auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
- sudo ${auto-upgrade-script}
+ /run/wrappers/bin/sudo ${auto-upgrade-script}
'';
})
];
startAt = cfg.dates;
};
+
+ assertions = [{
+ assertion = cfg.userEnvironment.enable -> cfg.enable;
+ message =
+ "User environment upgrades cannot yet be enabled separately from system upgrades.";
+ }];
};
}