diff --git a/modules/nixos/frajul-auto-upgrade.nix b/modules/nixos/frajul-auto-upgrade.nix
index 6a66ecc..9069452 100644
--- a/modules/nixos/frajul-auto-upgrade.nix
+++ b/modules/nixos/frajul-auto-upgrade.nix
@@ -27,6 +27,10 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    security.sudo.extraConfig = ''
+      root ALL=(julian) NOPASSWD: ${pkgs.git}/bin/git -C "${cfg.flakePath}" commit -m *
+    '';
+
     # Ensure the flag directory exists
     systemd.tmpfiles.rules = [
       "d /var/lib/frajul-auto-upgrade 0755 root root -"
@@ -67,11 +71,16 @@ in {
         echo $$ > "$LOCK_FILE"
         trap 'rm -f "$LOCK_FILE"' EXIT
 
-        if /run/current-system/sw/bin/nix flake update --flake "${cfg.flakePath}" && /run/current-system/sw/bin/nixos-rebuild switch --flake "${cfg.flakePath}"; then
+        # Back up flake.lock
+        cp -f "${cfg.flakePath}/flake.lock" /var/lib/frajul-auto-upgrade/flake.lock.bak
+
+        # Try updating
+        if /run/current-system/sw/bin/nix flake update --flake "${cfg.flakePath}" && /run/current-system/sw/bin/nixos-rebuild switch --flake "${cfg.flakePath}" && ${pkgs.sudo}/bin/sudo -u julian git -C "${cfg.flakePath}" commit -m "Auto-update flake.lock" -- flake.lock; then
             echo "success" > "$LAST_STATUS_FILE"
         else
             echo "failure" > "$LAST_STATUS_FILE"
-            git -C "${cfg.flakePath}" restore flake.lock
+            # Restore flake.lock
+            cp -f /var/lib/frajul-auto-upgrade/flake.lock.bak "${cfg.flakePath}/flake.lock"
         fi
 
         # Write full timestamp