From: Scott Worley Date: Tue, 14 Apr 2020 23:24:02 +0000 (-0700) Subject: Require signatures to pull updates X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/commitdiff_plain/d8537205b9696e3b76bc8cad98966e52f1ab626f?ds=inline Require signatures to pull updates --- diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 973ac22..1facaba 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -25,11 +25,22 @@ in { which the update will occur. ''; }; + + key = mkOption { + type = types.path; + description = '' + GPG key that signs updates. Updates are only merged if the commit + at the tip of the remote branch is signed with this key. + ''; + }; }; }; config = lib.mkIf cfg.enable { - nixpkgs.overlays = [ (import ../overlays/pinch.nix) ]; + nixpkgs.overlays = [ + (import ../overlays/keyedgit.nix) + (import ../overlays/pinch.nix) + ]; systemd.services.nixos-upgrade = { description = "NixOS Upgrade"; restartIfChanged = false; @@ -55,7 +66,7 @@ in { set -e ( cd /etc/nixos - git pull --ff-only + ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures pinch update channels )