X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/blobdiff_plain/eb0fa99c7cfcb863cfcc3c1ba15aa0fbc2fcb120..fae44c38c483a1ab6928c28b3c58e45034582a4b:/modules/auto-upgrade.nix?ds=inline

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 216c4ba..aabb0e2 100644
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -3,7 +3,7 @@ with lib;
 let
   cfg = config.system.autoUpgradeWithPinch;
   auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
-    flock /run/auto-upgrade-with-pinch ${
+    ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${
       pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
         set -e
 
@@ -18,23 +18,26 @@ let
         as_user() {
           ${
             if cfg.userEnvironment.enable then ''
-              sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
+              /run/wrappers/bin/sudo -u ${escapeShellArg cfg.userEnvironment.user} "$@"
             '' else ''
               :
             ''
           }
         }
 
-        # Update channels
+        # Fetch updates
         (
           cd /etc/nixos
-          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
-          ${pkgs.pinch}/bin/pinch update channels
+          ${pkgs.git}/bin/git fetch
+          PATH="${pkgs.keyedgit cfg.keys}/bin:$PATH" ${pkgs.polite-merge}/bin/polite-merge --ff-only --verify-signatures
         )
 
+        # Update channels
+        ${pkgs.pinch}/bin/pinch update /etc/nixos/channels
+
         # Build
         in_tmpdir ${config.system.build.nixos-rebuild}/bin/nixos-rebuild build
-        as_user nix-build '<nixpkgs>' -A ${
+        as_user nix-build --no-out-link '<nixpkgs>' -A ${
           escapeShellArg cfg.userEnvironment.package
         }
 
@@ -71,11 +74,12 @@ in {
         '';
       };
 
-      key = mkOption {
+      keys = mkOption {
         type = types.path;
         description = ''
-          GPG key that signs updates.  Updates are only merged if the commit
-          at the tip of the remote branch is signed with this key.
+          File containing GPG keys that sign updates.  Updates are only merged
+          if the commit at the tip of the remote branch is signed with one of
+          these keys.
         '';
       };
 
@@ -135,9 +139,10 @@ in {
     nixpkgs.overlays = [
       (import ../overlays/keyedgit.nix)
       (import ../overlays/pinch.nix)
+      (import ../overlays/polite-merge.nix)
       (self: super: {
         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
-          sudo ${auto-upgrade-script}
+          /run/wrappers/bin/sudo ${auto-upgrade-script}
         '';
       })
     ];