Allow for git pull before auto-upgrade

hosts/Rupert.nix

@@ -88,9 +88,14 @@ in
     # accidentally delete configuration.nix.
     # system.copySystemConfiguration = true;
 
-    system.autoUpgrade.enable = true;
-    system.autoUpgrade.allowReboot = true;
-    system.autoUpgrade.sendEmail = true;
+    system.autoUpgrade = {
+        enable = true;
+        allowReboot = true;
+        sendEmail = true;
+        gitPull = true;
+        gitDeploymentKeyFile = "/secrets/ssh_id_gitea_nixos_configuration";
+    };
+
     # systemd.services.nixos-upgrade.onFailure = lib.mkIf config.system.autoUpgrade.enable [ "status-email@%n.service" ];
 
     services.btrfsScrub = {

options/auto-upgrade.nix

@@ -15,6 +15,20 @@ in
                 Whether to send a status email after an upgrade.
             '';
         };
+        gitPull = mkOption {
+            type = types.bool;
+            default = false;
+            description = mdDoc ''
+                Whether to run `git pull` in /etc/nixos before starting the upgrade.
+            '';
+        };
+        gitDeploymentKeyFile = mkOption {
+            type = types.str or null;
+            default = null;
+            description = mdDoc ''
+                Private SSH key used for the `git pull` operation (if `gitPull` is enabled).
+            '';
+        };
     };
 
     config = mkIf cfg.enable {
@@ -25,6 +39,8 @@ in
                 date = "${pkgs.coreutils}/bin/date";
                 readlink = "${pkgs.coreutils}/bin/readlink";
                 grep = "${pkgs.gnugrep}/bin/grep";
+                git = "${pkgs.git}/bin/git";
+                ssh = "${pkgs.openssh}/bin/ssh";
                 shutdown = "${config.systemd.package}/bin/shutdown";
                 sendmail = "${pkgs.system-sendmail}/bin/sendmail";
                 upgradeFlag = optional (cfg.channel == null) "--upgrade";
@@ -72,9 +88,23 @@ in
                 ''}
 
                 output_file="$(mktemp)"
-                ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)} 2>&1 | tee "$output_file" || exit_code=$?
-
                 send_email=no
+                email_subject_additions=
+
+                ${optionalString cfg.gitPull ''
+                {
+                    cd /etc/nixos
+                    echo "→ Refreshing git repository at /etc/nixos." | tee -a "$output_file"
+                    if ! ${optionalString (cfg.gitDeploymentKeyFile != null) ''GIT_SSH_COMMAND='${ssh} -i "${cfg.gitDeploymentKeyFile}" -o IdentitiesOnly=yes' ''}${git} pull 2>&1 | tee -a "$output_file" ; then
+                        send_email=yes
+                        email_subject_additions="$email_subject_additions, errors during git pull"
+                    fi
+                }
+                ''}
+
+                echo "→ Running upgrade." | tee -a "$output_file"
+                ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)} 2>&1 | tee -a "$output_file" || exit_code=$?
+
                 email_subject="Upgrade succeeded"
                 email_body="The system upgrade started at $start_time has succeeded."
                 if [ "$exit_code" -ne 0 ] ; then
@@ -86,6 +116,7 @@ in
                 booted_version="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
                 built_version="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
 
+                echo "→ Checking if a reboot is needed." | tee -a "$output_file"
                 if [ "$booted_version" != "$built_version" ] ; then
                     version_comparison="$(cat <<-EOF
                 The booted kernel version
@@ -111,16 +142,16 @@ in
                         email_body="$(printf "%s\n%s" "$email_body" "The system will reboot now.")"
                         do_reboot="yes"
                         activate_configuration="yes"
-                        email_subject="$email_subject, system will reboot"
+                        email_subject_additions="$email_subject_additions, system will reboot"
                     else
                         email_body="$(printf "%s\n%s" "$email_body" "The upgraded configuration will be activated on the next reboot.")"
-                        email_subject="$email_subject, reboot required"
+                        email_subject_additions="$email_subject_additions, reboot required"
                     fi
                 fi
 
                 ${optionalString (cfg.operation == "switch") ''
                 if [ "$activate_configuration" = "yes" ] ; then
-                    echo "Activating new configuration."
+                    echo "→ Activating new configuration." | tee -a "$output_file"
                     ${nixos-rebuild} switch ${toString cfg.flags} 2>&1 | tee -a "$output_file" || exit_code=$?
                 fi
                 ''}
@@ -131,7 +162,7 @@ in
                 possible_warnings="$(${grep} -e "^trace:" <<<"$upgrade_output" || true)"
                 if [ "$possible_warnings" != "" ] ; then
                     send_email=yes
-                    email_subject="$email_subject with warnings"
+                    email_subject_additions="$email_subject_additions with warnings"
                     email_body="$(cat <<-EOF
                 $email_body
 
@@ -145,10 +176,11 @@ in
 
                 ${optionalString cfg.sendEmail ''
                 if [ "$send_email" = "yes" ] ; then
+                    echo "→ Sending e-mail to ${toAddress}."
                     ${sendmail} -t -X - <<-EOF
                 To: ${toAddress}
                 From: ${fromIdentity}
-                Subject: $email_subject
+                Subject: $email_subject$email_subject_additions
                 Content-Transfer-Encoding: 8bit
                 Content-Type: text/plain; charset=UTF-8
                 X-Priority: 3
@@ -164,7 +196,7 @@ in
                 ''}
 
                 if [ "$do_reboot" = "yes" ] ; then
-                    echo "Rebooting system."
+                    echo "→ Rebooting system."
                     ${shutdown} -r +1
                 fi