+# auto-upgrade-with-pinch: Secure managed NixOS updates
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, version 3.
+
{ config, lib, pkgs, ... }:
with lib;
let
'';
auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
- ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
+ ${pkgs.coreutils}/bin/nice -n 17 \
+ ${pkgs.util-linux}/bin/ionice -c 3 \
+ ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${
pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
set -eo pipefail
# Build
in_tmpdir hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
while read user;do
- hydrate /run/wrappers/bin/sudo -u "$user" \
+ hydrate /run/wrappers/bin/sudo -u "$user" -D / \
${pkgs.nix}/bin/nix-build --no-out-link '<nixpkgs>' -A "$(userenv_query "$user" .package)"
done < <( config_query '.userEnvironments | keys []' )