Try out unattended-upgrade on laptop

1 files changed, 30 insertions, 17 deletions

diff --git a/tw/system/lap.scm b/tw/system/lap.scm
index 41ef690c..d3227dc9 100644
--- a/tw/system/lap.scm
+++ b/tw/system/lap.scm
@@ -22,7 +22,7 @@
 (use-package-modules android certs cups disk docker file-systems gnome
                      kerberos linux mtools pulseaudio search shells wm xorg)
 
-(use-service-modules authentication avahi base cups dbus desktop docker
+(use-service-modules admin authentication avahi base cups dbus desktop docker
                      kerberos linux mcron networking pm syncthing vpn xorg)
 
 (define efi-system-partition          ; /dev/nvme0n1p1
@@ -73,20 +73,19 @@ EndSection
    (keyboard-layout %british-keyboard)
    (extra-config (list touchpad-xorg-config))))
 
-(define extra-channels
-  (plain-file "channels.scm" "\
-(use-modules (guix channels))
-(cons* (channel
-         (name 'nonguix)
-         (url \"https://gitlab.com/nonguix/nonguix\")
-         ;; Enable signature verification:
-         (introduction
-           (make-channel-introduction
-            \"897c1a470da759236cc11798f4e0a5f7d4d59fbc\"
-            (openpgp-fingerprint
-             \"2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5\"))))
-       %default-channels)
-"))
+(define system-channels
+  #~(begin
+      (use-modules (guix channels))
+      (cons* (channel
+              (name 'nonguix)
+              (url "https://gitlab.com/nonguix/nonguix")
+              ;; Enable signature verification:
+              (introduction
+               (make-channel-introduction
+                "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
+                (openpgp-fingerprint
+                 "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
+             %default-channels)))
 
 ;; Nonguix substitute server's signing key.
 ;; From <https://substitutes.nonguix.org/signing-key.pub>.
@@ -345,11 +344,24 @@ support extra features (acr, pmu, gr).")
 
       (set-xorg-configuration custom-xorg-config)
 
+      (service unattended-upgrade-service-type
+        (unattended-upgrade-configuration
+         (schedule "0 21 * * *")   ; every night at 21:00, when the laptop is turned on
+         (maximum-duration (* 40 60))   ; 40 minutes
+         (channels system-channels)
+         (operating-system-expression
+          #~(begin
+              (set! %load-path (cons "/home/timo/src/guix-decls" %load-path))
+              (@ (tw system lap) %lap-system)))
+         (services-to-restart
+          ;; Anything that won't cause disruption when restarting.
+          '(syncthing-timo earlyoom thermald tlp wireguard-wg0 mcron))))
+
       (simple-service 'cronjobs mcron-service-type
         ;; I don't think jobs run on boot if they would have run when the
         ;; computer was turned off, so choose a time when the computer is
         ;; probably turned on.
-        (list #~(job "0 21 * * *" "guix gc -d 2w -F 25G")
+        (list #~(job "45 21 * * *" "guix gc -d 2w -F 25G")  ; after unattended-upgrade
               #~(job "0 22 * * *"  ; after guix gc
                      (string-append #$(file-append util-linux "/sbin/fstrim")
                                     " --fstab --verbose"))))
@@ -361,7 +373,8 @@ support extra features (acr, pmu, gr).")
          (authorized-keys (list nonguix-signing-key))
          (substitute-urls '("https://substitutes.nonguix.org"))))
 
-      (extra-special-file "/etc/guix/channels.scm" extra-channels)
+      (extra-special-file "/etc/guix/channels.scm"
+                          (scheme-file "channels.scm" system-channels))
 
       (modify-services %desktop-services
         (gdm-service-type