Require signatures to pull updates

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 973ac2268aff6e9b2b108d24eb5582984a79adb2..1facabab99b0cfbc8263af05f61c9734b1e15f8b 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -25,11 +25,22 @@ in {
           which the update will occur.
         '';
       };
           which the update will occur.
         '';
       };

+
+      key = mkOption {
+        type = types.path;
+        description = ''
+          GPG key that signs updates.  Updates are only merged if the commit
+          at the tip of the remote branch is signed with this key.
+        '';
+      };

     };
   };
 
   config = lib.mkIf cfg.enable {
     };
   };
 
   config = lib.mkIf cfg.enable {

-    nixpkgs.overlays = [ (import ../overlays/pinch.nix) ];
+    nixpkgs.overlays = [
+      (import ../overlays/keyedgit.nix)
+      (import ../overlays/pinch.nix)
+    ];

     systemd.services.nixos-upgrade = {
       description = "NixOS Upgrade";
       restartIfChanged = false;
     systemd.services.nixos-upgrade = {
       description = "NixOS Upgrade";
       restartIfChanged = false;


@@ -55,7 +66,7 @@ in {
         set -e
         (
           cd /etc/nixos
         set -e
         (
           cd /etc/nixos

-          git pull --ff-only
+          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures

           pinch update channels
         )
 
           pinch update channels
         )