profiles/server: add unattended system upgrades as a subcategory

modules/nixos/profiles/server.nix

@@ -12,6 +12,7 @@ in
     headless.enable = lib.mkEnableOption "configuration for headless servers";
     hardened-config.enable = lib.mkEnableOption "additional hardened configuration for NixOS systems";
     cleanup.enable = lib.mkEnableOption "cleanup service for the system";
+    auto-upgrade.enable = lib.mkEnableOption "unattended system upgrades";
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
@@ -118,6 +119,27 @@ in
       };
     })
 
+    (lib.mkIf cfg.auto-upgrade.enable {
+      system.autoUpgrade = {
+        enable = true;
+        flake = "github:foo-dogsquared/nixos-config";
+        allowReboot = true;
+        persistent = true;
+        rebootWindow = {
+          lower = "22:00";
+          upper = "00:00";
+        };
+        dates = "weekly";
+        flags = [
+          "--update-input"
+          "nixpkgs"
+          "--commit-lock-file"
+          "--no-write-lock-file"
+        ];
+        randomizedDelaySec = "1min";
+      };
+    })
+
     (lib.mkIf cfg.cleanup.enable {
       # Weekly garbage collection of Nix store. Unlike in the desktop config,
       # this has looser requirements for the store items age for up to 21 days