update-flake-inputs: init

A user service which will run `nix flake update` on every flake input in
the specified directories.

Author: l0b0

modules/services/update-flake-inputs/default.nix

@@ -0,0 +1,194 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    literalExpression
+    maintainers
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+  inherit (lib.strings) concatStringsSep escapeShellArgs replaceString;
+  inherit (lib.types)
+    bool
+    listOf
+    package
+    str
+    ;
+
+  cfg = config.services.${unitName};
+
+  unitName = "update-flake-inputs";
+in
+{
+  meta.maintainers = [
+    maintainers.l0b0
+  ];
+
+  options.services.${unitName} = {
+    enable = mkEnableOption "Whether to update Nix flake inputs on a schedule";
+
+    directories = mkOption {
+      type = listOf str;
+      default = [ ];
+      example = [
+        "/home/user/foo"
+        "/home/user/my projects/bar"
+      ];
+      description = "Absolute paths of directories to perform updates in";
+    };
+
+    afterUpdateCommands = mkOption {
+      type = listOf str;
+      default = [ ];
+      example = [
+        "NIX_ABORT_ON_WARN=true nix flake check"
+        "nix develop --ignore-env --command pre-commit run --all-files"
+        "git commit --message=\"build: Update Nix flake input '$${input}'\" -- flake.lock"
+      ];
+      description = ''
+        Commands to run after the update.
+        The variable {env}`input` can be referenced in this script to refer to the flake input name,
+        and the variable {env}`PWD` to refer to the flake directory.
+      '';
+    };
+
+    afterUpdateCommandsDependencies = mkOption {
+      type = listOf package;
+      default = [ ];
+      example = [
+        literalExpression
+        "pkgs.firefox"
+      ];
+      description = ''
+        Packages required by {option}`afterUpdateCommands`.
+      '';
+    };
+
+    onCalendar = mkOption {
+      type = str;
+      default = "daily";
+      example = "04:40";
+      description = ''
+        How often or when update occurs.
+
+        The format is described in
+        {manpage}`systemd.time(7)`.
+      '';
+    };
+
+    randomizedDelaySec = mkOption {
+      default = "0";
+      type = str;
+      example = "45 minutes";
+      description = ''
+        Add a randomized delay before each run.
+        The delay will be chosen between zero and this value.
+        This value must be a time span in the format specified by
+        {manpage}`systemd.time(7)`
+      '';
+    };
+
+    fixedRandomDelay = mkOption {
+      default = false;
+      type = bool;
+      example = true;
+      description = ''
+        Make the randomized delay consistent between runs.
+        This reduces the jitter between automatic updates.
+        See {option}`randomizedDelaySec` for configuring the randomized delay.
+      '';
+    };
+
+    persistent = mkOption {
+      default = true;
+      type = bool;
+      example = false;
+      description = ''
+        Takes a boolean argument. If true, the time when the service
+        unit was last triggered is stored on disk. When the timer is
+        activated, the service unit is triggered immediately if it
+        would have been triggered at least once during the time when
+        the timer was inactive. Such triggering is nonetheless
+        subject to the delay imposed by RandomizedDelaySec=. This is
+        useful to catch up on missed runs of the service when the
+        system was powered down.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.directories != [ ];
+        message = "You must specify some directories to act on.";
+      }
+    ];
+
+    systemd.user =
+      let
+        Description = "Update Nix flake inputs";
+      in
+      {
+        services.${unitName} =
+          let
+            updateFlakeInputs = pkgs.writeShellApplication {
+              name = unitName;
+              bashOptions = [ ];
+              runtimeInputs = [
+                pkgs.gitMinimal
+                pkgs.jq
+              ]
+              ++ cfg.afterUpdateCommandsDependencies;
+              text =
+                let
+                  script = builtins.readFile ./update.bash;
+                  afterUpdateCommandLine = concatStringsSep " && " (
+                    if cfg.afterUpdateCommands == [ ] then [ "true" ] else cfg.afterUpdateCommands
+                  );
+                in
+                replaceString "@afterUpdateCommandLine@" afterUpdateCommandLine script;
+            };
+          in
+          {
+            Unit = {
+              inherit Description;
+              Documentation = [ "man:nix3-flake(1)" ];
+
+              After = [ "network-online.target" ];
+              Wants = [ "network-online.target" ];
+
+              X-StopOnRemoval = false;
+              X-RestartIfChanged = false;
+            };
+
+            Service = {
+              ExecStart = ''
+                ${getExe updateFlakeInputs} ${escapeShellArgs cfg.directories}
+              '';
+              Type = "oneshot";
+            };
+          };
+
+        timers.${unitName} = {
+          Install.WantedBy = [ "timers.target" ];
+
+          Timer = {
+            FixedRandomDelay = cfg.fixedRandomDelay;
+            OnCalendar = cfg.onCalendar;
+            Persistent = cfg.persistent;
+            RandomizedDelaySec = cfg.randomizedDelaySec;
+            Unit = "${unitName}.service";
+          };
+
+          Unit = { inherit Description; };
+        };
+      };
+  };
+
+}

modules/services/update-flake-inputs/update.bash

@@ -0,0 +1,111 @@
+set -o errexit -o noclobber -o nounset -o pipefail
+shopt -s failglob inherit_errexit
+
+cleanup() {
+  git restore --staged flake.lock
+  git checkout flake.lock
+}
+
+afterUpdateCommands() {
+  @afterUpdateCommandLine@
+}
+
+update_flake_input() {
+  local \
+    dev_shell_name \
+    input \
+    machine_type \
+    nix_build_command \
+    nixos_configuration \
+    raw_dev_shell_names \
+    raw_nixos_configurations
+
+  input="$1"
+
+  if ! nix flake update "${input}"; then
+    echo "${0}: Could not update input ${input} in directory ${PWD}!" >&2
+    cleanup
+    return 64
+  fi
+
+  if git diff --quiet flake.lock; then
+    # Already up to date
+    return 0
+  fi
+
+  nix_build_command=(nix build --no-link --print-out-paths)
+
+  if raw_nixos_configurations="$(
+    nix eval --apply 'attrSet: builtins.toString (builtins.attrNames attrSet)' --raw \
+      .#.nixosConfigurations
+  )"; then
+    readarray -d ' ' -t nixos_configurations <<<"${raw_nixos_configurations}"
+    for nixos_configuration in "${nixos_configurations[@]}"; do
+      nix_build_command+=(".#.nixosConfigurations.${nixos_configuration%%$'\n'}.config.system.build.toplevel")
+    done
+  fi
+
+  machine_type="$(uname --machine)-linux"
+  if raw_dev_shell_names="$(
+    nix eval --apply 'attrSet: builtins.toString (builtins.attrNames attrSet)' --raw \
+      ".#.devShells.${machine_type}"
+  )"; then
+    readarray -d ' ' -t dev_shell_names <<<"${raw_dev_shell_names}"
+    for dev_shell_name in "${dev_shell_names[@]}"; do
+      nix_build_command+=(".#.devShells.${machine_type}.${dev_shell_name%%$'\n'}")
+    done
+  fi
+
+  if ! "${nix_build_command[@]}"; then
+    echo "${0}: Could not update input ${input} in directory ${PWD}!"
+    cleanup
+    return 65
+  fi
+
+  # shellcheck disable=SC2310
+  if ! afterUpdateCommands; then
+    echo "After update commands failed!" >&2
+    cleanup
+    return 66
+  fi
+
+  cleanup
+}
+
+for directory; do
+  cd "${directory}"
+
+  if ! git diff --cached --quiet; then
+    echo "${PWD} has staged changes; skipping!" >&2
+    exit_code=64
+    continue
+  fi
+
+  if ! git diff --quiet flake.lock; then
+    echo "${PWD}/flake.lock has changes; skipping!" >&2
+    exit_code=65
+    continue
+  fi
+
+  inputs_raw="$(nix flake metadata --json | jq --raw-output '.locks.nodes.root.inputs | keys[]')"
+  readarray -t inputs <<<"${inputs_raw}"
+
+  broken_inputs=()
+  for input in "${inputs[@]}"; do
+    # shellcheck disable=SC2310
+    if ! update_flake_input "${input}"; then
+      exit_code="$?"
+      broken_inputs+=("${input}")
+    fi
+  done
+
+  # Summarize at the end, to avoid mixing with the rest of the output
+  if ((${#broken_inputs[@]} != 0)); then
+    echo "Some flake inputs can't be updated automatically:" >&2
+  fi
+  for broken_input in "${broken_inputs[@]}"; do
+    echo "- ${broken_input}" >&2
+  done
+done
+
+exit "${exit_code-0}"

tests/modules/services/update-flake-inputs/basic.nix

@@ -0,0 +1,22 @@
+{
+  services.update-flake-inputs = {
+    enable = true;
+    directories = [ "/some/path" ];
+  };
+
+  nmt.script = ''
+    serviceFile=home-files/.config/systemd/user/update-flake-inputs.service
+    normalizedServiceFile=$(normalizeStorePaths "$serviceFile")
+    assertFileContent $normalizedServiceFile ${./expected-basic.service}
+
+    assertFileContent home-files/.config/systemd/user/update-flake-inputs.timer ${./expected-basic.timer}
+
+    scriptFile="$(
+      grep '^ExecStart=' "$TESTED/$serviceFile" |
+      cut --delimiter== --fields=2 |
+      cut --delimiter=' ' --fields=1
+    )"
+    normalizedScriptFile=$(normalizeStorePaths "$scriptFile")
+    assertFileContent "$normalizedScriptFile" ${./expected-basic.bash}
+  '';
+}

tests/modules/services/update-flake-inputs/default.nix

@@ -0,0 +1,6 @@
+{ lib, pkgs, ... }:
+
+lib.optionalAttrs pkgs.stdenv.hostPlatform.isLinux {
+  update-flake-inputs-basic = ./basic.nix;
+  update-flake-inputs-full = ./full.nix;
+}