diff --git a/modules/sysupdate.nix b/modules/sysupdate.nix index 949fbcb..7be5664 100644 --- a/modules/sysupdate.nix +++ b/modules/sysupdate.nix @@ -1,4 +1,33 @@ -{ config, ... }: { +{ config, pkgs, ... }: +let + gpgPubKeyStaging = '' + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mDMEZvb3mhYJKwYBBAHaRw8BAQdAvyH7AMLukMEF/1as7auAh757//LlO/kBG8pm + zhOlTj20LFBhdGFnaWEgU3RhZ2luZyA8bm9yZXBseStzdGFnaW5nQHBhdGFnaWEu + aW8+iJQEExYKADwWIQTjWE8tGxWc+3+vxyy1R4V5MjgMzAUCZvb3mgIbAwUJBaOa + gAQLCQgHBBUKCQgFFgIDAQACHgUCF4AACgkQtUeFeTI4DMwDWAEAlMAhSZh086Ux + OfLBR1QYgHtXmk6tObJurWkZq6cGICwA/2fBOtZcLfAPRWYPLHAtsqtFrO6CIyQG + H6n4Iv3D5ZsCuDgEZvb3mhIKKwYBBAGXVQEFAQEHQPKKcltfHlELIHf0AYcd0nOe + GaWcAnoW4o3zLZUVNnlpAwEIB4h+BBgWCgAmFiEE41hPLRsVnPt/r8cstUeFeTI4 + DMwFAmb295oCGwwFCQWjmoAACgkQtUeFeTI4DMzuegEA62XIq4Ir+4DWdTql58bA + +0Vr89dMQsAxwVzGGzl8D8wBAMuPY6/2SwbA7KwWuz8L/cTPQVLBt+TSdYeuCBps + e5UE + =m2st + -----END PGP PUBLIC KEY BLOCK----- + ''; + gpgKeyring = pkgs.runCommand "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } '' + mkdir -p $out + export GNUPGHOME=$out + gpg --no-default-keyring --keyring=$out/import-pubring.gpg --fingerprint + gpg --no-default-keyring --keyring=$out/import-pubring.gpg --import <<< '${gpgPubKeyStaging}' + rm $out/S.scdaemon $out/S.gpg-agent $out/S.gpg-agent.* + ''; +in +{ + + environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/import-pubring.gpg"; + systemd.sysupdate = { enable = true; @@ -11,10 +40,8 @@ # We could fetch updates from the network as well: # - # Path = "https://download.example.com/"; - # Type = "url-file"; - Path = "/var/updates/"; - Type = "regular-file"; + Path = "https://images.dl.patagia.dev/"; + Type = "url-file"; }; Target = { InstancesMax = 2; @@ -38,10 +65,8 @@ MatchPattern = [ "${config.boot.uki.name}_@v.img.xz" ]; - # Path = "https://download.example.com/"; - # Type = "url-file"; - Path = "/var/updates/"; - Type = "regular-file"; + Path = "https://images.dl.patagia.dev/"; + Type = "url-file"; }; Target = {