From d8537205b9696e3b76bc8cad98966e52f1ab626f Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Tue, 14 Apr 2020 16:24:02 -0700 Subject: [PATCH 1/1] Require signatures to pull updates --- modules/auto-upgrade.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 973ac22..1facaba 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -25,11 +25,22 @@ in { which the update will occur. ''; }; + + key = mkOption { + type = types.path; + description = '' + GPG key that signs updates. Updates are only merged if the commit + at the tip of the remote branch is signed with this key. + ''; + }; }; }; config = lib.mkIf cfg.enable { - nixpkgs.overlays = [ (import ../overlays/pinch.nix) ]; + nixpkgs.overlays = [ + (import ../overlays/keyedgit.nix) + (import ../overlays/pinch.nix) + ]; systemd.services.nixos-upgrade = { description = "NixOS Upgrade"; restartIfChanged = false; @@ -55,7 +66,7 @@ in { set -e ( cd /etc/nixos - git pull --ff-only + ${pkgs.keyedgit cfg.key}/bin/git pull --ff-only --verify-signatures pinch update channels ) -- 2.44.1