No-sudo, no-password auto-upgrade

[auto-upgrade-with-pinch] / modules / auto-upgrade.nix

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 974ebb7a9d96a091e0157428aa6d817b9bfa0949..3a0d25d4d20f148ddd6f4d447a273950a03ac618 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -1,6 +1,21 @@
 { config, lib, pkgs, ... }:
 with lib;
 { config, lib, pkgs, ... }:
 with lib;

-let cfg = config.system.autoUpgradeWithPinch;
+let
+  cfg = config.system.autoUpgradeWithPinch;
+  auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
+    flock /run/auto-upgrade-with-pinch ${
+      pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
+        set -e
+        (
+          cd /etc/nixos
+          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+          ${pkgs.pinch}/bin/pinch update channels
+        )
+
+        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
+      ''
+    }
+  '';

 in {
   options = {
     system.autoUpgradeWithPinch = {
 in {
   options = {
     system.autoUpgradeWithPinch = {


@@ -37,19 +52,27 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
   };
 
   config = lib.mkIf cfg.enable {

+
+    security.sudo.extraRules = lib.mkAfter [{
+      groups = [ "users" ];
+      commands = [{
+        command = "${auto-upgrade-script}";
+        options = [ "NOPASSWD" "NOSETENV" ];
+      }];
+    }];
+    # NOSETENV above still allows through ~17 vars, including PATH.  Block those
+    # as well:
+    security.sudo.extraConfig = ''
+      Defaults!${auto-upgrade-script} !env_check
+      Defaults!${auto-upgrade-script} !env_keep
+    '';
+

     nixpkgs.overlays = [
       (import ../overlays/keyedgit.nix)
       (import ../overlays/pinch.nix)
       (self: super: {
         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
     nixpkgs.overlays = [
       (import ../overlays/keyedgit.nix)
       (import ../overlays/pinch.nix)
       (self: super: {
         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''

-        set -e
-        (
-          cd /etc/nixos
-          ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
-          ${self.pinch}/bin/pinch update channels
-        )
-
-        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
+          sudo ${auto-upgrade-script}

         '';
       })
     ];
         '';
       })
     ];


@@ -84,7 +107,18 @@ in {
         # intervene either to fix the problem or disable automatic updates.
         sleep 2h
 
         # intervene either to fix the problem or disable automatic updates.
         sleep 2h
 

-        ${pkgs.auto-upgrade}/bin/auto-upgrade
+        # Wait until outside business hours
+        now=$(date +%s)
+        day_of_week=$(date +%u)
+        business_start=$(date -d  8:00 +%s)
+        business_end=$(  date -d 17:00 +%s)
+        if (( day_of_week <= 5 && now > business_start && now < business_end ));then
+          delay=$((business_end - now))
+          echo "Waiting $delay seconds so we don't upgrade during business hours" >&2
+          sleep "$delay"
+        fi
+
+        ${auto-upgrade-script}

       '';
 
       startAt = cfg.dates;
       '';
 
       startAt = cfg.dates;