With system.autoUpgrade you can enable automatic updates for your NixOS-system. Updates are downloaded automatically on a regular basis.
How does this work with a flake-nixosConfiguration?
I mean you can use a git-repo to build the configuration. (system.autoUpgrade.flake) But if I understand correctly, you have to execute nix flake update manually and push all the changes to the git-repo to start the update.
My questions is about updates from the stable channel to have all the security-updates installed automatically.
So with flakes, you set system.autoUpgrade.flake to a flake uri to build on every call to the upgrade function. If the flake being referenced doesn’t change, then neither does the system.
The description of system.autoUpgrade.flags also includes this, which would allow you to update nixpkgs on each call as well, at least for a local flake:
Any additional flags passed to <command>nixos-rebuild</command>.
If you are using flakes and use a local repo you can add
<command>[ "--update-input" "nixpkgs" "--commit-lock-file" ]</command>
to update nixpkgs.
The best security game is to only activate the packages you need. And, to follow the main branch of nixpkgs for what you do activate (since that is where latest security fixes are applied)