From 364c110c317cab5a688f4197cf0ab3bca3fde347 Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Thu, 16 Apr 2020 14:23:56 -0700
Subject: [PATCH] No-sudo, no-password auto-upgrade

---
 modules/auto-upgrade.nix | 45 +++++++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 12 deletions(-)

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index 31e2b0b..3a0d25d 100644
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -1,6 +1,21 @@
 { config, lib, pkgs, ... }:
 with lib;
-let cfg = config.system.autoUpgradeWithPinch;
+let
+  cfg = config.system.autoUpgradeWithPinch;
+  auto-upgrade-script = pkgs.writeShellScript "auto-upgrade" ''
+    flock /run/auto-upgrade-with-pinch ${
+      pkgs.writeShellScript "auto-upgrade-with-lock-held" ''
+        set -e
+        (
+          cd /etc/nixos
+          ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
+          ${pkgs.pinch}/bin/pinch update channels
+        )
+
+        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
+      ''
+    }
+  '';
 in {
   options = {
     system.autoUpgradeWithPinch = {
@@ -37,21 +52,27 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+
+    security.sudo.extraRules = lib.mkAfter [{
+      groups = [ "users" ];
+      commands = [{
+        command = "${auto-upgrade-script}";
+        options = [ "NOPASSWD" "NOSETENV" ];
+      }];
+    }];
+    # NOSETENV above still allows through ~17 vars, including PATH.  Block those
+    # as well:
+    security.sudo.extraConfig = ''
+      Defaults!${auto-upgrade-script} !env_check
+      Defaults!${auto-upgrade-script} !env_keep
+    '';
+
     nixpkgs.overlays = [
       (import ../overlays/keyedgit.nix)
       (import ../overlays/pinch.nix)
       (self: super: {
         auto-upgrade = super.writeShellScriptBin "auto-upgrade" ''
-          flock /run/auto-upgrade-with-pinch ${super.writeShellScript "auto-upgrade-with-lock-held" ''
-            set -e
-            (
-              cd /etc/nixos
-              ${self.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures
-              ${self.pinch}/bin/pinch update channels
-            )
-
-            ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --no-build-output
-          ''}
+          sudo ${auto-upgrade-script}
         '';
       })
     ];
@@ -97,7 +118,7 @@ in {
           sleep "$delay"
         fi
 
-        ${pkgs.auto-upgrade}/bin/auto-upgrade
+        ${auto-upgrade-script}
       '';
 
       startAt = cfg.dates;
-- 
2.44.1