AutoUpdateSigned : Check signature before updating.

flake.nix

@@ -104,12 +104,12 @@
 			droidStateVersion = "22.11";
 			stateVersion      = "23.11";
 			timeZone = "Europe/Moscow";
-			url = "git+https://git.voronind.com/voronind/nixos.git";
+			url = "https://git.voronind.com/voronind/nixos.git";
 		};
 
 		# Common modules used across all hosts.
 		nixosModules.common.imports = [
-			./module/common/AutoUpdate.nix
+			./module/common/AutoUpdateSigned.nix
 			./module/common/Bash.nix
 			./module/common/Bootloader.nix
 			./module/common/Crypto.nix

module/common/AutoUpdate.nix

@@ -3,7 +3,7 @@
 		enable      = true;
 		allowReboot = false;
 		dates       = "hourly";
-		flake       = const.url;
+		flake       = "git+${const.url}";
 		operation   = "switch";
 		persistent  = true;
 	};

module/common/AutoUpdateSigned.nix

@@ -0,0 +1,37 @@
+{ const, pkgs, lib, secret, ... }: {
+	systemd.services.autoupdate = {
+		enable = true;
+		description        = "Signed system auto-update.";
+		restartIfChanged   = false;
+		serviceConfig.Type = "oneshot";
+		stopIfChanged      = false;
+		unitConfig.X-StopOnRemoval = false;
+		path = with pkgs; [
+			bash
+			git
+			gnumake
+			nixos-rebuild
+			openssh
+		];
+		script = ''
+			pushd /tmp
+			rm -rf ./nixos
+			${lib.getExe pkgs.git} clone --depth=1 --single-branch --branch=main ${const.url} ./nixos
+			pushd ./nixos
+			${lib.getExe pkgs.git} verify-commit HEAD || {
+				echo "Verification failed."
+				exit 1
+			};
+			${lib.getExe pkgs.gnumake} switch
+		'';
+	};
+
+	systemd.timers.autoupdate = {
+		timerConfig = {
+			OnCalendar = "hourly";
+			Persistent = true;
+			Unit       = "autoupdate.service";
+		};
+		wantedBy = [ "timers.target" ];
+	};
+}

module/common/bash/module/Nix.nix

@@ -1,6 +1,6 @@
-{ ... }: {
+{ const, ... }: {
 	text = ''
-		export _nix_system_config="git+https://git.voronind.com/voronind/nixos.git"
+		export _nix_system_config="git+${const.url}"
 
 		# Rebuild system.
 		# Optionally force the hostname.