+ nixpkgs.overlays = [
+ (import ../overlays/keyedgit.nix)
+ (import ../overlays/pinch.nix)
+ (self: super: {
+ auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
+ flock /run/auto-upgrade-with-pinch ${super.writeShellScript "auto-upgrade-with-lock-held" ''
+ set -e
+ (
+ cd /etc/nixos
+ ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+ ${self.pinch}/bin/pinch update channels
+ )
+
+ ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
+ ''}
+ '';
+ })
+ ];
+
+ environment.systemPackages = [ pkgs.auto-upgrade ];
+