From 372c612f22fdb7c5b4f74b4ebd113728a56aa91c Mon Sep 17 00:00:00 2001
From: Hunter Halloran <hdh20267@uga.edu>
Date: Thu, 11 Dec 2025 12:11:23 -0500
Subject: [PATCH] switch update-system to systemd service

---
 sw/default.nix         | 15 ++-------
 sw/shared-services.nix | 70 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 13 deletions(-)
 create mode 100644 sw/shared-services.nix

diff --git a/sw/default.nix b/sw/default.nix
index 6826768..635bb36 100644
--- a/sw/default.nix
+++ b/sw/default.nix
@@ -22,6 +22,7 @@ in
   imports = [
     ./python.nix
     ./ghostty.nix
+    ./shared-services.nix
   ];
 
   options.modules.sw = {
@@ -76,19 +77,7 @@ in
           inputs.agenix.packages.${stdenv.hostPlatform.system}.default
           # Custom update script
           (writeShellScriptBin "update-system" ''
-            HOSTNAME=$(hostname)
-            FLAKE_URI="github:UGA-Innovation-Factory/nixos-systems"
-
-            # Pass arguments like --impure to nixos-rebuild
-            EXTRA_ARGS="$@"
-
-            if [[ "$HOSTNAME" == nix-surface* ]]; then
-              echo "Detected Surface tablet. Using remote build host."
-              sudo nixos-rebuild switch --flake "$FLAKE_URI" --build-host engr-ugaif@192.168.11.133 --refresh $EXTRA_ARGS
-            else
-              echo "Updating local system..."
-              sudo nixos-rebuild switch --flake "$FLAKE_URI" --refresh $EXTRA_ARGS
-            fi
+            systemctl start update-system
           '')
         ];
     }
diff --git a/sw/shared-services.nix b/sw/shared-services.nix
new file mode 100644
index 0000000..69f26c6
--- /dev/null
+++ b/sw/shared-services.nix
@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+{
+  options.modules.sw.remoteBuild = lib.mkOption {
+    type = types.submodule {
+      options = {
+        hosts = mkOption {
+          type = types.listOf types.str;
+          default = [ "engr-ugaif@192.168.11.133 x86_64-linux" ];
+          description = "List of remote build hosts for system rebuilding.";
+        };
+
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+          description = "Whether to enable remote build for 'update-system' command.";
+        };
+      };
+    };
+    default = { };
+    description = "Remote build configuration";
+  };
+
+  config = {
+    modules.sw.remoteBuild.enable = lib.mkDefault (config.modules.sw.type == "tablet-kiosk");
+
+    systemd.services.update-system = {
+      enable = true;
+      description = "System daemon to one-shot run the Nix updater from fleet flake as root";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = 
+          let
+            hosts = config.modules.sw.remoteBuild.hosts;
+            builders = lib.strings.concatMapStringsSep ";" (x: x) hosts;
+            rebuildCmd = "${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --refresh";
+            source = "--flake github:UGA-Innovation-Factory/nixos-systems";
+            remoteBuildFlags = if config.modules.sw.remoteBuild.enable
+              then
+                ''--builders "${builders}"''
+              else "";
+          in
+            "${rebuildCmd} ${remoteBuildFlags} ${source}#${config.networking.hostName}";
+        User = "root";
+        Group = "root";
+      };
+    };
+
+    security.polkit = {
+      enable = true;
+      extraConfig = ''
+        polkit.addRule(function(action, subject) {
+          if (action.id == "org.freedesktop.systemd1.manage-units" &&
+              action.lookup("unit") == "update-system.service" &&
+              action.lookup("verb") == "start" &&
+              subject.isInGroup("users")) {
+            return polkit.Result.YES;
+          }
+        });
+      '';
+    };
+  };
+}