Faultless auto-update

auto-update.nix

@@ -0,0 +1,21 @@
+{ pkgs, ...}:
+{
+  systemd.services.nixos-update = {
+    description = "NixOS Update";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      # Using su is more faultless than trying to reproduce the environment in
+      # the way how it implemented in nixos/modules/tasks/auto-upgrade.nix
+      ${pkgs.su}/bin/su root -c 'nix-channel --update'
+      ${pkgs.su}/bin/su root -c 'NIXOS_LABEL=auto-update nixos-rebuild boot --upgrade'
+    '';
+  };
+
+  systemd.timers.nixos-update = {
+    description = "Run NixOS Update 30m after the start and then every 6h";
+    timerConfig.OnBootSec = "30m";
+    timerConfig.OnUnitInactiveSec = "6h";
+    timerConfig.Unit = "nixos-update.service";
+    wantedBy = ["timers.target"];
+  };
+}

configuration.nix

@@ -18,6 +18,7 @@ in {
       ./docker.nix
       ./home-manager.nix
       ./thinkpad.nix
+      ./auto-update.nix
     ];
 
   time.timeZone = "UTC";
@@ -53,15 +54,7 @@ in {
   boot.loader.efi.canTouchEfiVariables = true;
   boot.tmpOnTmpfs = true;
 
-  # force update all channels
-  systemd.services.nixos-upgrade.serviceConfig.ExecStartPre =
-    "/bin/sh -c '${pkgs.nix}/bin/nix-channel --update'";
-
-  systemd.timers.nixos-upgrade.timerConfig.OnBootSec = "30m";
-  systemd.timers.nixos-upgrade.timerConfig.Persistent = true;
-
-  system.stateVersion = "19.03";
-  system.autoUpgrade.enable = true;
+  system.stateVersion = "19.09";
 
   nix.optimise.automatic = true;
   nix.gc.automatic = true;