General: custom NixOS upgrade helper script

bin/nixos-upgrade-script.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+# Wrapper script for nixos-rebuild
+
+#set -e
+
+# Configuration parameters
+operation="switch"		# The nixos-rebuild operation to use
+hostname=$(hostname)	# The name of the host to build
+flakeDir="."					# Path to the flake file (and optionally the hostname)
+remainingArgs=""			# All remaining arguments that haven't been processed
+commit=true						# Whether to update git (true by default)
+buildHost=""					# Which host to build the system on.
+
+function usage() {
+	echo "Usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake-file] [extra nixos-rebuild parameters]"
+	echo "Options:"
+	echo "	-h | --help	Show this help screen."
+	echo "	-o | --operation	The nixos-rebuild operation to perform."
+	echo "	-H | --host	The host to build."
+	echo "  -f | --flake <path>	The path to the flake file (and optionally the hostname)."
+	echo "  -n | --no-commit Don't update and commit the lock file."
+	echo "  --build-host <hostname> The SSH name of the host to build the system on."
+	exit 2
+}
+
+function run_operation {
+	echo "Full operation: nixos-rebuild $1 --flake $flakeDir#$hostname $( [ "$buildHost" != "" ] && echo "--build-host $buildHost" ) $remainingArgs"
+
+	# Only request super-user permission if we're switching
+	if [[ "$1" =~ ^(switch|boot|test)$ ]]; then
+		sudo nixos-rebuild $operation --flake .#$hostname $remainingArgs
+	else
+		nixos-rebuild $operation --flake .#$hostname $remainingArgs
+	fi
+} 
+
+# Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
+POSITIONAL_ARGS=()
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+	--build-host|-b)
+		buildHost="$2"
+		shift
+		shift
+		;;
+	--host|--hostname|-H)
+		hostname="$2"
+		shift
+		shift
+		;;
+	--flake|-f)
+		flakeDir="$2"
+		shift
+		shift
+		;;
+	--no-commit|-n)
+		commit=false
+		shift
+		shift
+		;;
+	--operation|-o)
+		operation="$2"
+		shift
+		shift
+		;;
+	--help|-h)
+		usage
+		shift
+		;;
+	*)
+		POSITIONAL_ARGS+=("$1") # save positional arg
+      	shift # past argument
+		;;
+	esac
+done
+remainingArgs=${POSITIONAL_ARGS[@]}
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+
+cd $flakeDir
+git pull
+
+if [ $commit = true ]; then
+	echo "Update and push lock file"
+	nix flake update --commit-lock-file
+	git push
+fi
+
+# If this is a remote build, run the build as non-sudo first
+if [[ "$buildHost" != "" ]]; then
+	run_operation "build"
+fi
+
+run_operation $operation
+
+exit 0

hosts/Shura/default.nix

@@ -52,6 +52,12 @@ in
     # Enable GPU support.
     gpu.amd.enable = true;
 
+    nixos-upgrade-script = {
+      enable = true;
+      configDir = config.secrets.nixConfigFolder;
+      user = config.users.users.aires.name;
+    };
+
     packages = with pkgs; [
       boinc # Boinc client
       keepassxc # Use native instead of Flatpak due to weird performance issues

modules/services/autoupgrade.nix

@@ -82,6 +82,7 @@ in
           OnCalendar = cfg.onCalendar;
           Persistent = cfg.persistent;
           Unit = "nixos-upgrade.service";
+          RandomizedDelaySec = "30m";
         };
       };
     })

modules/system/nix.nix

@@ -1,13 +1,18 @@
 # Core Nix configuration
 {
   config,
-  lib,
   inputs,
+  lib,
+  pkgs,
   ...
 }:
 
 let
   cfg = config.aux.system;
+
+  nixos-upgrade-script = pkgs.writeShellScriptBin "nixos-upgrade-script" (
+    builtins.readFile ../../bin/nixos-upgrade-script.sh
+  );
 in
 {
   options = {
@@ -18,6 +23,17 @@ in
         type = lib.types.str;
         default = "monthly";
       };
+      nixos-upgrade-script = {
+        enable = lib.mkEnableOption "Installs the nos (nixos-upgrade-script) helper script.";
+        configDir = lib.mkOption {
+          type = lib.types.str;
+          description = "Path to your NixOS configuration files.";
+        };
+        user = lib.mkOption {
+          type = lib.types.str;
+          description = "The user to run the upgrade script as.";
+        };
+      };
     };
   };
   config = {
@@ -37,13 +53,14 @@ in
         # Only allow these users to use Nix
         allowed-users = with config.users.users; [
           root.name
-          aires.name
+          (lib.mkIf config.aux.system.users.aires.enable aires.name)
         ];
 
         # Avoid signature verification messages when doing remote builds
-        trusted-users =
+        trusted-users = with config.users.users; [
-          with config.users.users;
+          root.name
-          [ aires.name ] ++ lib.optionals (config.aux.system.users.gremlin.enable) [ gremlin.name ];
+          (lib.mkIf config.aux.system.users.aires.enable aires.name)
+        ];
       };
 
       # Optimize the Nix store on each build
@@ -88,5 +105,7 @@ in
 
     # Support for standard, dynamically-linked executables
     programs.nix-ld.enable = true;
+
+    aux.system.packages = [ (lib.mkIf cfg.nixos-upgrade-script.enable nixos-upgrade-script) ];
   };
 }

modules/ui/desktops/gnome.nix

@@ -48,7 +48,9 @@ in
               ]
             }
           '';
-          extraGSettingsOverridePackages = lib.mkIf (cfg.experimental.fractionalScaling.enable || cfg.experimental.vrr.enable) [ pkgs.gnome.mutter ];
+          extraGSettingsOverridePackages = lib.mkIf (
+            cfg.experimental.fractionalScaling.enable || cfg.experimental.vrr.enable
+          ) [ pkgs.gnome.mutter ];
         };
         displayManager.gdm.enable = true;
       };