X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/blobdiff_plain/00a79ae1cc6cdc2791545c0b0aa9dc55e9c95ec5..d8537205b9696e3b76bc8cad98966e52f1ab626f:/modules/auto-upgrade.nix?ds=inline diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 973ac22..1facaba 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -25,11 +25,22 @@ in { which the update will occur. ''; }; + + key = mkOption { + type = types.path; + description = '' + GPG key that signs updates. Updates are only merged if the commit + at the tip of the remote branch is signed with this key. + ''; + }; }; }; config = lib.mkIf cfg.enable { - nixpkgs.overlays = [ (import ../overlays/pinch.nix) ]; + nixpkgs.overlays = [ + (import ../overlays/keyedgit.nix) + (import ../overlays/pinch.nix) + ]; systemd.services.nixos-upgrade = { description = "NixOS Upgrade"; restartIfChanged = false; @@ -55,7 +66,7 @@ in { set -e ( cd /etc/nixos - git pull --ff-only + ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures pinch update channels )