2024-05-04 23:15:57 +03:00
|
|
|
# System automatic updates.
|
|
|
|
# This is a systemd service that pulls updates every hour.
|
|
|
|
# Unlike system.autoUpgrade, this script also verifies my git signature
|
|
|
|
# to prevent unathorized changes to hosts.
|
2024-07-01 16:19:58 +03:00
|
|
|
{ const, pkgs, lib, util, config, secret, ... }: with lib; let
|
2024-06-30 03:56:48 +03:00
|
|
|
cfg = config.module.autoupdate;
|
2024-06-25 04:04:39 +03:00
|
|
|
in {
|
|
|
|
options = {
|
2024-06-30 03:56:48 +03:00
|
|
|
module.autoupdate = {
|
2024-08-24 19:55:55 +03:00
|
|
|
enable = mkEnableOption "System auto-updates.";
|
2024-06-25 04:04:39 +03:00
|
|
|
};
|
2024-04-14 19:44:38 +03:00
|
|
|
};
|
|
|
|
|
2024-06-25 04:04:39 +03:00
|
|
|
config = mkIf cfg.enable {
|
2024-07-01 16:19:58 +03:00
|
|
|
programs.git = {
|
|
|
|
enable = true;
|
|
|
|
config = {
|
|
|
|
gpg.ssh.allowedSignersFile = toString secret.crypto.sign.git.allowed;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-06-25 04:04:39 +03:00
|
|
|
systemd.services.autoupdate = util.mkStaticSystemdService {
|
|
|
|
enable = true;
|
|
|
|
description = "Signed system auto-update.";
|
2024-10-11 21:05:29 +03:00
|
|
|
serviceConfig = {
|
|
|
|
RuntimeMaxSec = "55m";
|
|
|
|
Type = "oneshot";
|
|
|
|
};
|
2024-06-25 04:04:39 +03:00
|
|
|
path = with pkgs; [
|
|
|
|
bash
|
|
|
|
git
|
|
|
|
gnumake
|
|
|
|
nixos-rebuild
|
|
|
|
openssh
|
|
|
|
];
|
|
|
|
script = ''
|
|
|
|
pushd /tmp
|
|
|
|
rm -rf ./nixos
|
2024-09-12 01:04:07 +03:00
|
|
|
git clone --depth=1 --single-branch --branch=main ${const.url} ./nixos
|
2024-06-25 04:04:39 +03:00
|
|
|
pushd ./nixos
|
2024-09-30 05:39:06 +03:00
|
|
|
git verify-commit HEAD && git fsck || {
|
2024-06-25 04:04:39 +03:00
|
|
|
echo "Verification failed."
|
|
|
|
exit 1
|
|
|
|
};
|
2024-09-19 03:21:47 +03:00
|
|
|
make switch
|
2024-06-25 04:04:39 +03:00
|
|
|
'';
|
|
|
|
after = [ "network-online.target" ];
|
|
|
|
wants = [ "network-online.target" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.timers.autoupdate = {
|
|
|
|
enable = true;
|
|
|
|
timerConfig = {
|
|
|
|
OnCalendar = "hourly";
|
|
|
|
Persistent = true;
|
|
|
|
Unit = "autoupdate.service";
|
|
|
|
# RandomizedDelaySec = 60;
|
|
|
|
};
|
|
|
|
wantedBy = [ "timers.target" ];
|
2024-04-14 19:44:38 +03:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|