X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/blobdiff_plain/edaaa0c0ab2761711c3b9217a2c7396a56d6a54e..a4ddb4117429b8bb2cfb6f23e8733a7b97edeac9:/modules/auto-upgrade.nix diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 54a3083..a80aa5c 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -1,3 +1,9 @@ +# auto-upgrade-with-pinch: Secure managed NixOS updates +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, version 3. + { config, lib, pkgs, ... }: with lib; let @@ -59,7 +65,9 @@ let ''; auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" '' - ${pkgs.utillinux}/bin/flock /run/auto-upgrade-with-pinch ${ + ${pkgs.coreutils}/bin/nice -n 17 \ + ${pkgs.util-linux}/bin/ionice -c 3 \ + ${pkgs.util-linux}/bin/flock /run/auto-upgrade-with-pinch ${ pkgs.writeShellScript "auto-upgrade-with-lock-held" '' set -eo pipefail @@ -144,12 +152,12 @@ let + concatMapStringsSep "\n" (f: "verify_ownership ${escapeShellArg f}") cfg.upgradeConfig)} - config=$(${pkgs.nix}/bin/nix eval --json -f ${../upgrade-config.nix} \ + config=$(${pkgs.nix}/bin/nix-instantiate --eval --strict --json -A config \ --arg upgradeConfig ${ escapeShellArg ("[" + lib.concatMapStringsSep " " lib.strings.escapeNixString cfg.upgradeConfig + "]") - } config) + } ${../upgrade-config.nix}) config_query() { ${pkgs.jq}/bin/jq -r "$@" <<< "$config"