]> git.scottworley.com Git - auto-upgrade-with-pinch/commitdiff
No-sudo, no-password auto-upgrade
authorScott Worley <scottworley@scottworley.com>
Thu, 16 Apr 2020 21:23:56 +0000 (14:23 -0700)
committerScott Worley <scottworley@scottworley.com>
Mon, 18 May 2020 18:48:31 +0000 (11:48 -0700)
modules/auto-upgrade.nix

index 31e2b0b1519e49cc9af098a8aa5ad284a75885fc..3a0d25d4d20f148ddd6f4d447a273950a03ac618 100644 (file)
@@ -1,6 +1,21 @@
 { config, lib, pkgs, ... }:
 with lib;
 { config, lib, pkgs, ... }:
 with lib;
-let cfg = config.system.autoUpgradeWithPinch;
+let
+  cfg = config.system.autoUpgradeWithPinch;
+  auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
+    flock /run/auto-upgrade-with-pinch ${
+      pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
+        set -e
+        (
+          cd /etc/nixos
+          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+          ${pkgs.pinch}/bin/pinch update channels
+        )
+
+        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
+      ''
+    }
+  '';
 in {
   options = {
     system.autoUpgradeWithPinch = {
 in {
   options = {
     system.autoUpgradeWithPinch = {
@@ -37,21 +52,27 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
   };
 
   config = lib.mkIf cfg.enable {
+
+    security.sudo.extraRules = lib.mkAfter [{
+      groups = [ "users" ];
+      commands = [{
+        command = "${auto-upgrade-script}";
+        options = [ "NOPASSWD" "NOSETENV" ];
+      }];
+    }];
+    # NOSETENV above still allows through ~17 vars, including PATH.  Block those
+    # as well:
+    security.sudo.extraConfig = ''
+      Defaults!${auto-upgrade-script} !env_check
+      Defaults!${auto-upgrade-script} !env_keep
+    '';
+
     nixpkgs.overlays = [
       (import ../overlays/keyedgit.nix)
       (import ../overlays/pinch.nix)
       (self: super: {
         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
     nixpkgs.overlays = [
       (import ../overlays/keyedgit.nix)
       (import ../overlays/pinch.nix)
       (self: super: {
         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
-          flock /run/auto-upgrade-with-pinch ${super.writeShellScript "auto-upgrade-with-lock-held" ''
-            set -e
-            (
-              cd /etc/nixos
-              ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
-              ${self.pinch}/bin/pinch update channels
-            )
-
-            ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
-          ''}
+          sudo ${auto-upgrade-script}
         '';
       })
     ];
         '';
       })
     ];
@@ -97,7 +118,7 @@ in {
           sleep "$delay"
         fi
 
           sleep "$delay"
         fi
 
-        ${pkgs.auto-upgrade}/bin/auto-upgrade
+        ${auto-upgrade-script}
       '';
 
       startAt = cfg.dates;
       '';
 
       startAt = cfg.dates;