Think I figured out an automatic update process that also supports fresh installs

Actually it might make more sense to keep it, especially for setting up new hosts.

.forgejo/workflows/update.yaml

@@ -1,15 +1,32 @@
 on: [push]
+
 jobs:
-#  format:
+  # Source: https://github.com/isabelroses/dotfiles/tree/main/.github/workflows
+  update-lockfile:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          logger: pretty
+
+#      - name: Update Lockfile
+#        uses: DeterminateSystems/update-flake-lock@main
+#        id: update
+#        with:
+#          pr-title: "chore(deps): flake inputs"
+#          commit-msg: "chore(deps): flake inputs"
+#          token: ${{ secrets.GITHUB_TOKEN }}
+
+#  build:
 #    runs-on: nix
 #    steps:
+#      - run: nix-env -iA nixpkgs.nodejs_20
 #      - uses: actions/checkout@v4
-#      - run: nix --experimental-features 'nix-command flakes' fmt
+#      - run: nix --experimental-features 'nix-command flakes' flake update
-  build:
+#      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Haven
-    runs-on: nix
+#      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Khanda
-    steps:
-      - run: nix-env -iA nixpkgs.nodejs_20
-      - uses: actions/checkout@v4
-      - run: nix --experimental-features 'nix-command flakes' flake update
-      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Haven
-      - run: nixos-rebuild --experimental-features 'nix-command flakes' build --flake .#Khanda

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "nix-secrets"]
+	path = nix-secrets
+	url = ssh://code.8bitbuddhism.com/aires/nix-secrets.git
+    branch = main

flake.lock

@@ -256,11 +256,11 @@
         "rev": "4db84b723bb2eb21a2c58de565ed89ddb34e6166",
         "revCount": 41,
         "type": "git",
-        "url": "ssh://forgejo@code.8bitbuddhism.com/aires/nix-secrets"
+        "url": "file:///home/aires/Development/nix-configuration/nix-secrets"
       },
       "original": {
         "type": "git",
-        "url": "ssh://forgejo@code.8bitbuddhism.com/aires/nix-secrets"
+        "url": "file:///home/aires/Development/nix-configuration/nix-secrets"
       }
     },
     "nixos-hardware": {

flake.nix

@@ -36,7 +36,7 @@
 
     # "Secrets management"
     nix-secrets = {
-      url = "git+ssh://forgejo@code.8bitbuddhism.com/aires/nix-secrets";
+      url = "git+file:///home/aires/Development/nix-configuration/nix-secrets";
       flake = false;
     };
 

hosts/Haven/default.nix

@@ -123,7 +123,7 @@ in
     script = ''
       set -eu
       cd ${config.users.users.aires.home}/Development/nix-configuration
-      git pull
+      git pull --recurse-submodules
       nix flake update
       git add flake.lock
       git commit -m "Update flake.lock"

modules/base/system.nix

@@ -26,15 +26,28 @@
     };
   };
 
-  # Configure automatic updates
+  # Configure automatic updates. Replaces system.autoUpgrade.
-  system.autoUpgrade = {
+  systemd.services."nixos-update" = {
-    enable = true;
+    serviceConfig = {
-    flake = "git+https://${config.secrets.services.forgejo.url}/aires/nix-configuration";
+      Type = "oneshot";
-    dates = "daily";
+      User = "root";
-    randomizedDelaySec = "30m";
+    };
-    allowReboot = false;
+    script = ''
-    operation = "switch";
+      set -eu
-    persistent = true;
+      cd ${config.users.users.aires.home}/Development/nix-configuration
+      sudo -u aires git pull --recurse-submodules
+	  nh os switch
+    '';
+  };
+  systemd.timers."nixos-update-timer" = {
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = "true";
+      Unit = "nixos-update.service";
+    };
   };
 
   services = {

nix-secrets

@@ -0,0 +1 @@
+Subproject commit 4db84b723bb2eb21a2c58de565ed89ddb34e6166