This is more or less what I do, too…
- disabled when the manually deployed Git repository was dirty (uncomitted changes)
system.autoUpgrade = {
enable = ((inputs.self.rev or "dirty") != "dirty");
# …
};
I generally pull in a nix flake update --commit-lock-file on my desktop, and build that. I review the changes and may switch to the new revision for more testing.
Then I build the system closures for the rest of my systems (nu syntax):
nix flake show --json | from json | get nixosConfigurations | columns
| each { |host|
pueue add $"nix build --out-link result-($host) .#nixosConfigurations.($host).config.system.build.toplevel"
}
Then if those builds succeed, I push all the system closures to attic cache, and push the updated git revision to local soft-serve git repo. All the other hosts update when they next wake from sleep or overnight.
- skipped if the deployed commit is not already in the default branch (not pushed or merged yet)
A neat additional idea, but not one I have needed or can implement quite as simply.
I do occasionally want to hold back a system when an upgrade is known to break things, like currently I have some hosts held back from systemd 257.8 because of a bridged vlan bug in networkd. Most of the time, I just stop the nixos-upgrade.timer, or build a dirty revision on that host. I haven’t, but I could also add a condition clause on the upgrade service that something like /etc/noautoupgrade doesn’t exist, and touch that file as another manual signal.