let
cfg = config.system.autoUpgradeWithPinch;
auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
- flock /run/auto-upgrade-with-pinch ${
+ ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
set -e
as_user() {
${
if cfg.userEnvironment.enable then ''
- sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
+ /run/wrappers/bin/sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
'' else ''
:
''
}
}
- # Update channels
+ # Fetch updates
(
cd /etc/nixos
- ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
- ${pkgs.pinch}/bin/pinch update channels
+ ${pkgs.git}/bin/git fetch
+ PATH="${pkgs.keyedgit cfg.keys}/bin:$PATH" ${pkgs.polite-merge}/bin/polite-merge --ff-only --verify-signatures
)
+ # Update channels
+ ${pkgs.pinch}/bin/pinch update /etc/nixos/channels
+
# Build
in_tmpdir ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
- as_user nix-build '<nixpkgs>' -A ${
+ as_user nix-build --no-out-link '<nixpkgs>' -A ${
escapeShellArg cfg.userEnvironment.package
}
'';
};
- key = mkOption {
+ keys = mkOption {
type = types.path;
description = ''
- GPG key that signs updates. Updates are only merged if the commit
- at the tip of the remote branch is signed with this key.
+ File containing GPG keys that sign updates. Updates are only merged
+ if the commit at the tip of the remote branch is signed with one of
+ these keys.
'';
};
nixpkgs.overlays = [
(import ../overlays/keyedgit.nix)
(import ../overlays/pinch.nix)
+ (import ../overlays/polite-merge.nix)
(self: super: {
auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
- sudo ${auto-upgrade-script}
+ /run/wrappers/bin/sudo ${auto-upgrade-script}
'';
})
];