Automatic system upgrades: Difference between revisions
Remove reference to deprecated flag in text |
Fix flake configuration, update monitoring to include force-running an upgrade, add troubleshooting for repository not owned by current user. |
||
| Line 1: | Line 1: | ||
Automatic system upgrades can be used to upgrade a system regularly at a specific time. This can help to reduce the time period of applying important security patches to your running software but might also introduce some breakage in case an automatic upgrade fails. For automatic upgrades an automatic [[Garbage Collection|garbage collection]] is important to prevent full /boot and / partitions. | Automatic system upgrades can be used to upgrade a system regularly at a specific time. This can help to reduce the time period of applying important security patches to your running software but might also introduce some breakage in case an automatic upgrade fails. For automatic upgrades an automatic [[Garbage Collection|garbage collection]] is important to prevent full <syntaxhighlight inline lang="bash">/boot</syntaxhighlight> and <syntaxhighlight inline lang="bash">/</syntaxhighlight> partitions. | ||
== Configuration == | == Configuration == | ||
| Line 5: | Line 5: | ||
=== Channel-based systems (default) === | === Channel-based systems (default) === | ||
Most NixOS installations use channels by default. If you're unsure which you're using, check with | Most NixOS installations use channels by default. If you're unsure which you're using, check with <syntaxhighlight inline lang="bash">nix-channel --list</syntaxhighlight>. If that returns results, you're using channels. | ||
For channel-based systems, use this configuration: | For channel-based systems, use this configuration: | ||
{{file| | {{file|auto-upgrade.nix|nix|<nowiki> | ||
system.autoUpgrade = { | system.autoUpgrade = { | ||
enable = true; | enable = true; | ||
| Line 27: | Line 27: | ||
To enable unattended automatic system updates on a flake-enabled host, add following part to your configuration: | To enable unattended automatic system updates on a flake-enabled host, add following part to your configuration: | ||
{{file| | {{file|auto-upgrade.nix|nix|<nowiki> | ||
system.autoUpgrade = { | system.autoUpgrade = { | ||
enable = true; | enable = true; | ||
flake = | flake = "/path/to/flake"; | ||
flags = [ | flags = [ | ||
"--print-build-logs" | "--print-build-logs" | ||
"--commit-lock-file" # if you want to automatically commit the updated flake.lock | |||
]; | ]; | ||
dates = "02:00"; | dates = "02:00"; | ||
| Line 41: | Line 42: | ||
== Monitoring == | == Monitoring == | ||
Check that automatic system upgrades run successfully. Force an automatic system upgrade by running | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# systemctl | # systemctl start nixos-upgrade | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Check the upgrade log with | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Line 53: | Line 54: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Or, to see the full log | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# journalctl -u nixos-upgrade.service | # journalctl -u nixos-upgrade.service | ||
</syntaxhighlight> | </syntaxhighlight> | ||
To see the status of the upgrade timer run | |||
<syntaxhighlight lang="bash"> | |||
# systemctl status nixos-upgrade.timer | |||
</syntaxhighlight> | |||
== Troubleshooting == | |||
=== Git "repository is not owned by current user" === | |||
The flake repository directory is not owned by <syntaxhighlight inline lang="bash">root</syntaxhighlight> (which <syntaxhighlight inline lang="bash">nixos-upgrade</syntaxhighlight> runs as). To fix this, add the following to <syntaxhighlight inline lang="bash">/root/.gitconfig</syntaxhighlight>: | |||
{{file|/root/.gitconfig|gitconfig|<nowiki> | |||
[safe] | |||
directory = /path/to/flake | |||
</nowiki>}} | |||
[[Category:NixOS]] | [[Category:NixOS]] | ||
Revision as of 00:35, 2 March 2026
Automatic system upgrades can be used to upgrade a system regularly at a specific time. This can help to reduce the time period of applying important security patches to your running software but might also introduce some breakage in case an automatic upgrade fails. For automatic upgrades an automatic garbage collection is important to prevent full /boot and / partitions.
Configuration
Channel-based systems (default)
Most NixOS installations use channels by default. If you're unsure which you're using, check with nix-channel --list. If that returns results, you're using channels.
For channel-based systems, use this configuration:
❄︎ auto-upgrade.nix
system.autoUpgrade = {
enable = true;
flags = [
"--print-build-logs"
];
dates = "02:00";
randomizedDelaySec = "45min";
allowReboot = false; # Set to true if you want automatic reboots
};
Important: Do not use flake-specific flags with channel-based systems, as they will cause the upgrade to fail silently.
Flake-based systems
To enable unattended automatic system updates on a flake-enabled host, add following part to your configuration:
❄︎ auto-upgrade.nix
system.autoUpgrade = {
enable = true;
flake = "/path/to/flake";
flags = [
"--print-build-logs"
"--commit-lock-file" # if you want to automatically commit the updated flake.lock
];
dates = "02:00";
randomizedDelaySec = "45min";
};
Monitoring
Check that automatic system upgrades run successfully. Force an automatic system upgrade by running
# systemctl start nixos-upgrade
Check the upgrade log with
# systemctl status nixos-upgrade.service
Or, to see the full log
# journalctl -u nixos-upgrade.service
To see the status of the upgrade timer run
# systemctl status nixos-upgrade.timer
Troubleshooting
Git "repository is not owned by current user"
The flake repository directory is not owned by root (which nixos-upgrade runs as). To fix this, add the following to /root/.gitconfig:
≡︎ /root/.gitconfig
[safe]
directory = /path/to/flake