From 4d05a6fbe9ea979ead788081e7a11ddf4571c0ba Mon Sep 17 00:00:00 2001
From: Yan Lin <github@yanlincs.com>
Date: Mon, 24 Nov 2025 01:12:16 +0100
Subject: [PATCH] add automatic container update logic

---
 hosts/nixos/hs/system.nix |  6 ++++++
 modules/podman.nix        | 42 +++++++++++++++++++++++++++++++++++----
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/hosts/nixos/hs/system.nix b/hosts/nixos/hs/system.nix
index 84f179f..67bb983 100644
--- a/hosts/nixos/hs/system.nix
+++ b/hosts/nixos/hs/system.nix
@@ -12,6 +12,12 @@
     ../../../modules/samba.nix
   ];
 
+  # Automatic container updates
+  virtualisation.podman.autoUpdate = {
+    enable = true;
+    interval = "Wed *-*-* 06:00:00";
+  };
+
   # GRUB bootloader with ZFS support
   boot.loader.grub = {
     enable = true;
diff --git a/modules/podman.nix b/modules/podman.nix
index 029bf35..543b034 100644
--- a/modules/podman.nix
+++ b/modules/podman.nix
@@ -1,6 +1,10 @@
 { config, pkgs, lib, ... }:
 
+with lib;
+
 let
+  cfg = config.virtualisation.podman;
+
   # System-wide script for updating containers (works with sudo)
   update-containers-script = pkgs.writeShellScriptBin "update-containers" ''
     echo "Scanning running containers..."
@@ -43,8 +47,20 @@ let
   '';
 in
 {
-  # Container virtualization with Podman
-  virtualisation = {
+  options.virtualisation.podman.autoUpdate = {
+    enable = mkEnableOption "automatic container updates";
+
+    interval = mkOption {
+      type = types.str;
+      default = "daily";
+      example = "*-*-* 03:00:00";
+      description = "Systemd timer schedule for automatic updates (OnCalendar format)";
+    };
+  };
+
+  config = {
+    # Container virtualization with Podman
+    virtualisation = {
     podman = {
       enable = true;
       # Create a `docker` alias for podman, to use it as a drop-in replacement
@@ -62,7 +78,25 @@ in
     };
   };
 
-  # Make update-containers available system-wide (works with sudo)
-  environment.systemPackages = [ update-containers-script ];
+    # Make update-containers available system-wide (works with sudo)
+    environment.systemPackages = [ update-containers-script ];
 
+    # Automatic container updates via systemd timer
+    systemd.services.container-update-all = mkIf cfg.autoUpdate.enable {
+      description = "Automatic Podman container updates";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${update-containers-script}/bin/update-containers";
+      };
+    };
+
+    systemd.timers.container-update-all = mkIf cfg.autoUpdate.enable {
+      description = "Timer for automatic Podman container updates";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.autoUpdate.interval;
+        Persistent = true;
+      };
+    };
+  };
 }