From 7304bba68b0ca85dcc5c95d5a3be38f99f1cd96b Mon Sep 17 00:00:00 2001 From: fruchti Date: Thu, 9 Mar 2023 16:01:31 +0100 Subject: [PATCH] Auto-upgrade: Allow git pull as specific user --- hosts/Rupert.nix | 1 + options/auto-upgrade.nix | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix index 8685d9f..19d5074 100644 --- a/hosts/Rupert.nix +++ b/hosts/Rupert.nix @@ -94,6 +94,7 @@ in sendEmail = true; gitPull = true; gitDeploymentKeyFile = "/secrets/ssh_id_gitea_nixos_configuration"; + gitUser = "fruchti"; }; # systemd.services.nixos-upgrade.onFailure = lib.mkIf config.system.autoUpgrade.enable [ "status-email@%n.service" ]; diff --git a/options/auto-upgrade.nix b/options/auto-upgrade.nix index eb9f4e1..18e8544 100644 --- a/options/auto-upgrade.nix +++ b/options/auto-upgrade.nix @@ -29,6 +29,13 @@ in Private SSH key used for the `git pull` operation (if `gitPull` is enabled). ''; }; + gitUser = mkOption { + type = types.str or null; + default = null; + description = mdDoc '' + User used for the `git pull` operation (if `gitPull` is enabled). + ''; + }; }; config = mkIf cfg.enable { @@ -41,6 +48,7 @@ in grep = "${pkgs.gnugrep}/bin/grep"; git = "${pkgs.git}/bin/git"; ssh = "${pkgs.openssh}/bin/ssh"; + sudo = "${pkgs.sudo}/bin/sudo"; shutdown = "${config.systemd.package}/bin/shutdown"; sendmail = "${pkgs.system-sendmail}/bin/sendmail"; upgradeFlag = optional (cfg.channel == null) "--upgrade"; @@ -95,7 +103,7 @@ in { cd /etc/nixos echo "→ Refreshing git repository at /etc/nixos." | tee -a "$output_file" - if ! ${optionalString (cfg.gitDeploymentKeyFile != null) ''GIT_SSH_COMMAND='${ssh} -i "${cfg.gitDeploymentKeyFile}" -o IdentitiesOnly=yes' ''}${git} pull 2>&1 | tee -a "$output_file" ; then + if ! ${optionalString (cfg.gitDeploymentKeyFile != null) ''GIT_SSH_COMMAND='${ssh} -i "${cfg.gitDeploymentKeyFile}" -o IdentitiesOnly=yes' ''}${optionalString (cfg.gitUser != null) ''${sudo} -nu ${cfg.gitUser} ''}${git} pull 2>&1 | tee -a "$output_file" ; then send_email=yes email_subject_additions="$email_subject_additions, errors during git pull" fi