auto-upgrade: commit flake.lock if upgrading worked

2025-12-06 09:22:21 +01:00
parent 8b6ba76848
commit b9cdb9299e
1 changed files with 11 additions and 2 deletions
--- a/modules/nixos/frajul-auto-upgrade.nix
+++ b/modules/nixos/frajul-auto-upgrade.nix
@@ -27,6 +27,10 @@ in {
  };

  config = lib.mkIf cfg.enable {
+    security.sudo.extraConfig = ''
+      root ALL=(julian) NOPASSWD: ${pkgs.git}/bin/git -C "${cfg.flakePath}" commit -m *
+    '';
+
    # Ensure the flag directory exists
    systemd.tmpfiles.rules = [
      "d /var/lib/frajul-auto-upgrade 0755 root root -"
@@ -67,11 +71,16 @@ in {
        echo $$ > "$LOCK_FILE"
        trap 'rm -f "$LOCK_FILE"' EXIT

-        if /run/current-system/sw/bin/nix flake update --flake "${cfg.flakePath}" && /run/current-system/sw/bin/nixos-rebuild switch --flake "${cfg.flakePath}"; then
+        # Back up flake.lock
+        cp -f "${cfg.flakePath}/flake.lock" /var/lib/frajul-auto-upgrade/flake.lock.bak
+
+        # Try updating
+        if /run/current-system/sw/bin/nix flake update --flake "${cfg.flakePath}" && /run/current-system/sw/bin/nixos-rebuild switch --flake "${cfg.flakePath}" && ${pkgs.sudo}/bin/sudo -u julian git -C "${cfg.flakePath}" commit -m "Auto-update flake.lock" -- flake.lock; then
            echo "success" > "$LAST_STATUS_FILE"
        else
            echo "failure" > "$LAST_STATUS_FILE"
-            git -C "${cfg.flakePath}" restore flake.lock
+            # Restore flake.lock
+            cp -f /var/lib/frajul-auto-upgrade/flake.lock.bak "${cfg.flakePath}/flake.lock"
        fi

        # Write full timestamp