--- /dev/null
+# auto-upgrade-with-[pinch](https://git.scottworley.com/pinch)
+
+Automatically update a [NixOS](https://nixos.org/) machine from a remote
+git repo.
+
+The advantage of this over [NixOps](nixos.org/nixops) is in
+authentication: NixOps requires granting a general-purpose administrator
+credential for the machines under management to the actor pushing
+the updates. This credential is intended to be used only for pushing
+updates, but could be used for any other purpose. Reliably logging and
+auditing what is done with this credential if it is used interactively
+is extremely difficult.
+
+This tool, on the other hand, only applies configuration changes
+recorded in a git repository. This is transparent and easy to audit.
+Configuration updates are pulled, not pushed. Configuration updates
+must be signed (with normal git commit signatures). Force-pushed updates
+are rejected. Additional policy can be easily enforced with normal git
+repository control mechanisms, such as requiring code reviews.