+let
+ cfg = config.system.autoUpgradeWithPinch;
+ auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
+ ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
+ pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
+ set -e
+
+ in_tmpdir() {
+ d=$(mktemp -d)
+ pushd "$d"
+ "$@"
+ popd
+ rm -r "$d"
+ }
+
+ as_user() {
+ ${
+ if cfg.userEnvironment.enable then ''
+ /run/wrappers/bin/sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
+ '' else ''
+ :
+ ''
+ }
+ }
+
+ # Fetch updates
+ (
+ cd /etc/nixos
+ ${pkgs.git}/bin/git fetch
+ PATH="${pkgs.keyedgit cfg.keys}/bin:$PATH" ${pkgs.polite-merge}/bin/polite-merge --ff-only --verify-signatures
+ )
+
+ # Update channels
+ ${pkgs.pinch}/bin/pinch update /etc/nixos/channels
+
+ # Build
+ in_tmpdir ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
+ as_user nix-build --no-out-link '<nixpkgs>' -A ${
+ escapeShellArg cfg.userEnvironment.package
+ }
+
+ # Install
+ ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch
+ as_user nix-env -f '<nixpkgs>' -riA ${
+ escapeShellArg cfg.userEnvironment.package
+ }
+ ''
+ }
+ '';