]> git.scottworley.com Git - auto-upgrade-with-pinch/blobdiff - README.md
projects / auto-upgrade-with-pinch / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
License and README
[auto-upgrade-with-pinch] / README.md
diff --git a/README.md b/README.md
new file mode 100644 (file)
index 0000000..3158737
--- /dev/null
+++ b/README.md
@@ -0,0 +1,19 @@
+# auto-upgrade-with-[pinch](https://git.scottworley.com/pinch)
+
+Automatically update a [NixOS](https://nixos.org/) machine from a remote
+git repo.
+
+The advantage of this over [NixOps](nixos.org/nixops) is in
+authentication: NixOps requires granting a general-purpose administrator
+credential for the machines under management to the actor pushing
+the updates.  This credential is intended to be used only for pushing
+updates, but could be used for any other purpose.  Reliably logging and
+auditing what is done with this credential if it is used interactively
+is extremely difficult.
+
+This tool, on the other hand, only applies configuration changes
+recorded in a git repository.  This is transparent and easy to audit.
+Configuration updates are pulled, not pushed.  Configuration updates
+must be signed (with normal git commit signatures).  Force-pushed updates
+are rejected.  Additional policy can be easily enforced with normal git
+repository control mechanisms, such as requiring code reviews.
Automatic NixOS upgrades with pinch