+# auto-upgrade-with-pinch: Secure managed NixOS updates
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, version 3.
+
{ config, lib, pkgs, ... }:
with lib;
let
+ local-pkgs = import ../. { inherit pkgs; };
cfg = config.system.autoUpgradeWithPinch;
pull-repo-script = pkgs.writeShellScript "pull-repo" ''
set -eo pipefail
if [[ "$(prop requireSignature)" == true ]]; then
${pkgs.polite-merge}/bin/polite-merge \
- -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \
+ -c gpg.program=${escapeShellArg (local-pkgs.keyed-gpg cfg.signingKeys)} \
merge --ff-only --verify-signatures
else
${pkgs.polite-merge}/bin/polite-merge merge --ff-only
'';
auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
- ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
+ ${pkgs.coreutils}/bin/nice -n 17 \
+ ${pkgs.util-linux}/bin/ionice -c 3 \
+ ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${
pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
set -eo pipefail
+ concatMapStringsSep "\n" (f: "verify_ownership ${escapeShellArg f}")
cfg.upgradeConfig)}
- config=$(${pkgs.nix}/bin/nix eval --json -f ${../upgrade-config.nix} \
+ config=$(${pkgs.nix}/bin/nix-instantiate --eval --strict --json -A config \
--arg upgradeConfig ${
escapeShellArg ("["
+ lib.concatMapStringsSep " " lib.strings.escapeNixString
cfg.upgradeConfig + "]")
- } config)
+ } ${../upgrade-config.nix})
config_query() {
${pkgs.jq}/bin/jq -r "$@" <<< "$config"
'';
nixpkgs.overlays = [
- (import ../overlays/keyedgpg.nix)
(import ../overlays/pinch.nix)
(import ../overlays/polite-merge.nix)
(self: super: {
projects / auto-upgrade-with-pinch / blobdiff