]> git.scottworley.com Git - auto-upgrade-with-pinch/blobdiff - modules/auto-upgrade.nix
When becoming other users, cd to /
[auto-upgrade-with-pinch] / modules / auto-upgrade.nix
index a5c8b503d50e1842315d857ba46c4b3ba41ee3c5..f3089bd7f75ff210017dd574d624b88ef79b9fb2 100644 (file)
@@ -1,3 +1,9 @@
+# auto-upgrade-with-pinch: Secure managed NixOS updates
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, version 3.
+
 { config, lib, pkgs, ... }:
 with lib;
 let
 { config, lib, pkgs, ... }:
 with lib;
 let
@@ -59,6 +65,8 @@ let
   '';
 
   auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
   '';
 
   auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
+    ${pkgs.coreutils}/bin/nice -n 17 \
+    ${pkgs.util-linux}/bin/ionice -c 3 \
     ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${
       pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
         set -eo pipefail
     ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${
       pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
         set -eo pipefail
@@ -175,7 +183,7 @@ let
         # Build
         in_tmpdir hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
         while read user;do
         # Build
         in_tmpdir hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
         while read user;do
-          hydrate /run/wrappers/bin/sudo -u "$user" \
+          hydrate /run/wrappers/bin/sudo -u "$user" -D / \
             ${pkgs.nix}/bin/nix-build --no-out-link '<nixpkgs>' -A "$(userenv_query "$user" .package)"
         done < <( config_query '.userEnvironments | keys []' )
 
             ${pkgs.nix}/bin/nix-build --no-out-link '<nixpkgs>' -A "$(userenv_query "$user" .package)"
         done < <( config_query '.userEnvironments | keys []' )