{ config, lib, pkgs, ... }:
with lib;
-let cfg = config.system.autoUpgradeWithPinch;
+let
+ cfg = config.system.autoUpgradeWithPinch;
+ auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
+ flock /run/auto-upgrade-with-pinch ${
+ pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
+ set -e
+ (
+ cd /etc/nixos
+ ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+ ${pkgs.pinch}/bin/pinch update channels
+ )
+
+ ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
+ ''
+ }
+ '';
in {
options = {
system.autoUpgradeWithPinch = {
};
config = lib.mkIf cfg.enable {
+
+ security.sudo.extraRules = lib.mkAfter [{
+ groups = [ "users" ];
+ commands = [{
+ command = "${auto-upgrade-script}";
+ options = [ "NOPASSWD" "NOSETENV" ];
+ }];
+ }];
+ # NOSETENV above still allows through ~17 vars, including PATH. Block those
+ # as well:
+ security.sudo.extraConfig = ''
+ Defaults!${auto-upgrade-script} !env_check
+ Defaults!${auto-upgrade-script} !env_keep
+ '';
+
nixpkgs.overlays = [
(import ../overlays/keyedgit.nix)
(import ../overlays/pinch.nix)
(self: super: {
auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
- flock /run/auto-upgrade-with-pinch ${super.writeShellScript "auto-upgrade-with-lock-held" ''
- set -e
- (
- cd /etc/nixos
- ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
- ${self.pinch}/bin/pinch update channels
- )
-
- ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
- ''}
+ sudo ${auto-upgrade-script}
'';
})
];
sleep "$delay"
fi
- ${pkgs.auto-upgrade}/bin/auto-upgrade
+ ${auto-upgrade-script}
'';
startAt = cfg.dates;
projects / auto-upgrade-with-pinch / commitdiff