28 lines
981 B
Nix
28 lines
981 B
Nix
{
|
|
config,
|
|
secrets,
|
|
...
|
|
}: {
|
|
# Automatically `nixos-rebuild switch` daily with the latest configuration
|
|
# from git. This overwrites any uncommitted changes in ~/nixos/, which is why
|
|
# it is only enabled on servers. Note that this requires updating flake.lock
|
|
# in the repository periodically (see Containerfile). Alternatively, at the
|
|
# cost of reproducability, add
|
|
# flags = [ "--recreate-lock-file" "--no-write-lock-file" ]
|
|
# to ignore the repository flake.lock and use the latest input versions.
|
|
system.autoUpgrade = {
|
|
enable = true;
|
|
flake = "git+https://git.caspervk.net/caspervk/nixos.git";
|
|
};
|
|
|
|
# The `nixos-secrets` flake input requires authentication
|
|
systemd.services.nixos-upgrade.environment.GIT_SSH_COMMAND = "ssh -i ${config.age.secrets.autoupgrade-deploy-key.path}";
|
|
|
|
age.secrets.autoupgrade-deploy-key = {
|
|
file = "${secrets}/secrets/autoupgrade-deploy-key.age";
|
|
mode = "400";
|
|
owner = "root";
|
|
group = "root";
|
|
};
|
|
}
|