+
+ security.sudo.extraRules = lib.mkAfter [{
+ groups = [ "users" ];
+ commands = [{
+ command = "${auto-upgrade-script}";
+ options = [ "NOPASSWD" "NOSETENV" ];
+ }];
+ }];
+ # NOSETENV above still allows through ~17 vars, including PATH. Block those
+ # as well:
+ security.sudo.extraConfig = ''
+ Defaults!${auto-upgrade-script} !env_check
+ Defaults!${auto-upgrade-script} !env_keep
+ '';
+
+ nixpkgs.overlays = [
+ (import ../overlays/keyedgit.nix)
+ (import ../overlays/pinch.nix)
+ (self: super: {
+ auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
+ sudo ${auto-upgrade-script}
+ '';
+ })
+ ];
+
+ environment.systemPackages = [ pkgs.auto-upgrade ];
+