Flake auto-upgrade fails because git-repo not owned by current user

kjetil · March 19, 2025, 11:07am

After converting to flakes, auto-upgrade fails with git error “repository is not owned by current user”.

Which makes sense:

flakes use git when the flake is in a git-repo
My nix git repo is owned by my regular user account
The auto-upgrade systemd unit runs as root (and needs to run as root to have access to rebuild the system)
Git doesn’t want to touch a repo owned by a different user (which makes sense)

So my question is: how to auto-upgrade flakes, while keeping git repository owned by regular user?

waffle8946 · March 19, 2025, 3:45pm

If you want, you can write two services: one that runs as your user to update the lockfile, and one system service to rebuild the system.

However, I would not use auto-upgrade, the whole point of flakes is to have a lockfile that controls the revision of nixpkgs (or whatever other inputs) that you’re using. Auto-upgrade defeats this entire purpose, and might automatically push you into a broken revision or a revision that you don’t want to use.

kjetil · March 20, 2025, 1:36am

That sounds like it should work. But I already tried removing the flag "--commit-lock-file" and adding the flag "--no-write-lock-file" , but it still refuses to build because it refuses to even read the repo.

I’ll play around using the self flake in the nix store instead of my repo, but I initially didn’t like that idea because I want to capture and commit the flake lock file for every good build.

I also thought auto-upgrade with flakes in git would be such a common scenario, that there would be a “proper” way of doing it, I just haven’t found it yet

I (obviously ) disagree about auto-upgrades. I think auto-upgrade is fine, because any bad upgrade can be rolled back by either booting a previous build, or reverting the lock file to a previous good commit. But that hinges on capturing the lock file on every good commit. This is for a media-PC btw, not a critical server. For an unattended or critical machine I’d be more wary of auto-upgrade

firecat53 · March 20, 2025, 4:57am

I figured out finally that I needed to set the flake directory as safe for the root user because it’s owned by firecat53 which doesn’t match root. This is from [2.20.5 regression] `nix eval` fails with `'/etc/nixos': ... is not owned by current user` · Issue #10202 · NixOS/nix · GitHub

/root/.gitconfig

     [safe]
       directory = /home/firecat53/nixos/nixos

kjetil · March 20, 2025, 12:54pm

That makes a lot of sense reading issue #10202. Thanks for the suggestion firecat! l’ll try that out when I’m back at the computer.

Then the override to /root/.git/config can be declared in configuration.nix too , and it should be sorted

kjetil · March 21, 2025, 2:02am

Yes auto-upgrade works after adding my repo to roots .gitignore [safe] folder.

I’m still having trouble getting the --commit-lock-file flag to work. With the flag, the update service just hangs indefinitely (no CPU utilisation). Maybe it’s waiting for interactive writing of committ message or something. I’ll try the two-step approach suggested by waffle.

kjetil · March 21, 2025, 1:24pm

For future reference, --commit-lock-file was not working because the current flakes.lock file in the working tree differed from the latest committed flake.lock file. (i.e. flake.lock was ‘dirty’) . That might be a bug; i’m not sure why the process hung indefinitely instead of failing.

After committing the dirt flake.lock, the auto-upgrade worked, including updateing and committing new flake.lock file