]> git.scottworley.com Git - auto-upgrade-with-pinch/blobdiff - modules/auto-upgrade.nix
When becoming other users, cd to / with pushd, not sudo -D
[auto-upgrade-with-pinch] / modules / auto-upgrade.nix
index 54a30835d490a8215af0875868b921eac59d7abd..0977176a8176855b4521ef60dc7b875062fda921 100644 (file)
@@ -1,3 +1,9 @@
+# auto-upgrade-with-pinch: Secure managed NixOS updates
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, version 3.
+
 { config, lib, pkgs, ... }:
 with lib;
 let
 { config, lib, pkgs, ... }:
 with lib;
 let
@@ -59,7 +65,9 @@ let
   '';
 
   auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
   '';
 
   auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
-    ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
+    ${pkgs.coreutils}/bin/nice -n 17 \
+    ${pkgs.util-linux}/bin/ionice -c 3 \
+    ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${
       pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
         set -eo pipefail
 
       pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
         set -eo pipefail
 
@@ -144,12 +152,12 @@ let
           + concatMapStringsSep "\n" (f: "verify_ownership ${escapeShellArg f}")
           cfg.upgradeConfig)}
 
           + concatMapStringsSep "\n" (f: "verify_ownership ${escapeShellArg f}")
           cfg.upgradeConfig)}
 
-        config=$(${pkgs.nix}/bin/nix eval --json -f ${../upgrade-config.nix} \
+        config=$(${pkgs.nix}/bin/nix-instantiate --eval --strict --json -A config \
           --arg upgradeConfig ${
             escapeShellArg ("["
               + lib.concatMapStringsSep " " lib.strings.escapeNixString
               cfg.upgradeConfig + "]")
           --arg upgradeConfig ${
             escapeShellArg ("["
               + lib.concatMapStringsSep " " lib.strings.escapeNixString
               cfg.upgradeConfig + "]")
-          } config)
+          } ${../upgrade-config.nix})
 
         config_query() {
           ${pkgs.jq}/bin/jq -r "$@" <<< "$config"
 
         config_query() {
           ${pkgs.jq}/bin/jq -r "$@" <<< "$config"
@@ -175,8 +183,10 @@ let
         # Build
         in_tmpdir hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
         while read user;do
         # Build
         in_tmpdir hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
         while read user;do
+          pushd /
           hydrate /run/wrappers/bin/sudo -u "$user" \
             ${pkgs.nix}/bin/nix-build --no-out-link '<nixpkgs>' -A "$(userenv_query "$user" .package)"
           hydrate /run/wrappers/bin/sudo -u "$user" \
             ${pkgs.nix}/bin/nix-build --no-out-link '<nixpkgs>' -A "$(userenv_query "$user" .package)"
+          popd
         done < <( config_query '.userEnvironments | keys []' )
 
         # Install
         done < <( config_query '.userEnvironments | keys []' )
 
         # Install