auto upgrades

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 13:22:34 +02:00 · 2026-04-12 19:02:46 +02:00
parent 17f976d4e7
commit ac3c0886b7
4 changed files with 84 additions and 2 deletions
@@ -0,0 +1,77 @@
+# Auto upgrade some of my inputs every hour.
+# With signal notification on failure, but only once per failure streak to avoid spamming me if something is broken for a while.
+{
+  config,
+  pkgs,
+  ...
+}: let
+  configDir = config.var.configDirectory;
+  auto-update-inputs = ["blog" "awesome-wallpapers" "iknowyou" "default-creds"];
+  signalConfigDir = "/var/lib/signal-cli";
+  sentinelFile = "/var/lib/nixos-auto-upgrade/failure-notified";
+in {
+  sops.secrets."signal-sender-number" = {};
+  sops.secrets."signal-receiver-number" = {};
+
+  environment.systemPackages = [pkgs.signal-cli];
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/nixos-auto-upgrade 0700 root root -"
+    "d ${signalConfigDir} 0700 root root -"
+  ];
+
+  # Main upgrade service
+  systemd.services.nixos-auto-upgrade = {
+    description = "NixOS auto upgrade";
+    after = ["network-online.target"];
+    wants = ["network-online.target"];
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+    onFailure = ["nixos-auto-upgrade-notify.service"];
+    script = ''
+      set -e
+      cd ${configDir}
+      ${pkgs.nix}/bin/nix flake update ${builtins.concatStringsSep " " auto-update-inputs}
+      /run/current-system/sw/bin/nixos-rebuild switch --flake ${configDir}#jack
+      # Clear failure sentinel on success
+      rm -f ${sentinelFile}
+    '';
+  };
+
+  # Notification service — only fires once per failure streak
+  systemd.services.nixos-auto-upgrade-notify = {
+    description = "Signal notification on NixOS upgrade failure";
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+    script = ''
+      # Already notified for this failure streak, skip
+      if [ -f "${sentinelFile}" ]; then
+        exit 0
+      fi
+
+      SENDER=$(cat ${config.sops.secrets."signal-sender-number".path})
+      RECEIVER=$(cat ${config.sops.secrets."signal-receiver-number".path})
+      ${pkgs.signal-cli}/bin/signal-cli \
+        --config ${signalConfigDir} \
+        -u "$SENDER" send \
+        -m "Jack: nixos-auto-upgrade failed, check the logs: journalctl -u nixos-auto-upgrade" \
+        "$RECEIVER"
+
+      touch ${sentinelFile}
+    '';
+  };
+
+  # Hourly timer
+  systemd.timers.nixos-auto-upgrade = {
+    description = "NixOS auto upgrade timer";
+    wantedBy = ["timers.target"];
+    timerConfig = {
+      OnCalendar = "hourly";
+      Persistent = true;
+    };
+  };
+}