56 lines
1.5 KiB
Bash
56 lines
1.5 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
export NIX_CONFIG="${NIX_CONFIG:-}
|
|
experimental-features = nix-command flakes
|
|
accept-flake-config = false
|
|
warn-dirty = false
|
|
"
|
|
|
|
MODE="${1:-validate}"
|
|
|
|
hosts_json="$(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames)"
|
|
hosts="$(echo "$hosts_json" | jq -r '.[]')"
|
|
|
|
echo "Hosts:"
|
|
echo "$hosts"
|
|
|
|
echo
|
|
echo "Checking for obvious committed secrets..."
|
|
if grep -RInE 'github_pat_|ghp_|access-tokens|hashedPassword[[:space:]]*=' \
|
|
--exclude-dir=.git \
|
|
--exclude=flake.lock \
|
|
.; then
|
|
echo
|
|
echo "WARNING: Potential secrets or password hashes found. Review before committing."
|
|
else
|
|
echo "No obvious token patterns found."
|
|
fi
|
|
|
|
echo
|
|
echo "Checking Nix formatting with nixpkgs-fmt..."
|
|
nix run --no-accept-flake-config nixpkgs#nixpkgs-fmt -- --check .
|
|
|
|
echo
|
|
echo "Running statix lint..."
|
|
nix run --no-accept-flake-config nixpkgs#statix -- check .
|
|
|
|
echo
|
|
echo "Evaluating host toplevel derivations..."
|
|
for host in $hosts; do
|
|
echo "==> $host"
|
|
nix eval --raw --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath"
|
|
done
|
|
|
|
if [[ "$MODE" == "dry-run" ]]; then
|
|
echo
|
|
echo "Running dry-run builds for all hosts. This will not create result symlinks."
|
|
for host in $hosts; do
|
|
echo "==> Dry-run build: $host"
|
|
nix build --dry-run --no-link --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel"
|
|
done
|
|
fi
|
|
|
|
echo
|
|
echo "Maintenance checks complete."
|