Separate fetch and update steps

[auto-upgrade-with-pinch] / modules / auto-upgrade.nix

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 8bf21aaaf988c5d3b0b5d6648ca403785276d05f..aabb0e2dcc4c6a530e9f9b40b2f456a797bb4143 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -25,13 +25,16 @@ let
           }
         }
 
-        # Update channels
+        # Fetch updates
         (
           cd /etc/nixos
-          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
-          ${pkgs.pinch}/bin/pinch update channels
+          ${pkgs.git}/bin/git fetch
+          PATH="${pkgs.keyedgit cfg.keys}/bin:$PATH" ${pkgs.polite-merge}/bin/polite-merge --ff-only --verify-signatures
         )
 
+        # Update channels
+        ${pkgs.pinch}/bin/pinch update /etc/nixos/channels
+
         # Build
         in_tmpdir ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
         as_user nix-build --no-out-link '<nixpkgs>' -A ${
@@ -71,11 +74,12 @@ in {
         '';
       };
 
-      key = mkOption {
+      keys = mkOption {
         type = types.path;
         description = ''
-          GPG key that signs updates.  Updates are only merged if the commit
-          at the tip of the remote branch is signed with this key.
+          File containing GPG keys that sign updates.  Updates are only merged
+          if the commit at the tip of the remote branch is signed with one of
+          these keys.
         '';
       };
 
@@ -135,6 +139,7 @@ in {
     nixpkgs.overlays = [
       (import ../overlays/keyedgit.nix)
       (import ../overlays/pinch.nix)
+      (import ../overlays/polite-merge.nix)
       (self: super: {
         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
           /run/wrappers/bin/sudo ${auto-upgrade-script}