#!/usr/bin/env bash set -euo pipefail export NIX_CONFIG="${NIX_CONFIG:-} experimental-features = nix-command flakes accept-flake-config = false warn-dirty = false " MODE="${1:-validate}" ensure_nix_profile() { if [ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh elif [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then . "$HOME/.nix-profile/etc/profile.d/nix.sh" fi } ensure_nix_profile if ! command -v nix >/dev/null 2>&1; then echo "ERROR: nix is not available in PATH. Run bash scripts/codex-setup.sh first." >&2 exit 127 fi hosts_json="$(nix eval --json --no-use-registries --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames)" hosts="$(echo "$hosts_json" | jq -r '.[]')" echo "Hosts:" echo "$hosts" echo echo "Checking for obvious committed secrets..." if grep -RInE 'github_pat_|ghp_|access-tokens|hashedPassword[[:space:]]*=' \ --exclude-dir=.git \ --exclude=flake.lock \ .; then echo echo "WARNING: Potential secrets or password hashes found. Review before committing." else echo "No obvious token patterns found." fi echo echo "Checking Nix formatting with nixpkgs-fmt..." nix run --no-use-registries --no-accept-flake-config github:NixOS/nixpkgs/nixos-25.11#nixpkgs-fmt -- --check . echo echo "Running statix lint..." nix run --no-use-registries --no-accept-flake-config github:NixOS/nixpkgs/nixos-25.11#statix -- check . echo echo "Evaluating host toplevel derivations..." for host in $hosts; do echo "==> $host" nix eval --raw --no-use-registries --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath" done if [[ "$MODE" == "dry-run" ]]; then echo echo "Running dry-run builds for all hosts. This will not create result symlinks." for host in $hosts; do echo "==> Dry-run build: $host" nix build --dry-run --no-link --no-use-registries --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel" done fi echo echo "Maintenance checks complete."