+# auto-upgrade-with-pinch: Secure managed NixOS updates
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, version 3.
+
{ config, lib, pkgs, ... }:
with lib;
let
'';
auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
- ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
+ ${pkgs.coreutils}/bin/nice -n 17 \
+ ${pkgs.util-linux}/bin/ionice -c 3 \
+ ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${
pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
set -eo pipefail
+ concatMapStringsSep "\n" (f: "verify_ownership ${escapeShellArg f}")
cfg.upgradeConfig)}
- config=$(${pkgs.nix}/bin/nix eval --json -f ${../upgrade-config.nix} \
+ config=$(${pkgs.nix}/bin/nix-instantiate --eval --strict --json -A config \
--arg upgradeConfig ${
escapeShellArg ("["
+ lib.concatMapStringsSep " " lib.strings.escapeNixString
cfg.upgradeConfig + "]")
- } config)
+ } ${../upgrade-config.nix})
config_query() {
${pkgs.jq}/bin/jq -r "$@" <<< "$config"
# Build
in_tmpdir hydrate ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
while read user;do
- hydrate /run/wrappers/bin/sudo -u "$user" \
+ hydrate /run/wrappers/bin/sudo -u "$user" -D / \
${pkgs.nix}/bin/nix-build --no-out-link '<nixpkgs>' -A "$(userenv_query "$user" .package)"
done < <( config_query '.userEnvironments | keys []' )