NixOS allows you to "test" your system configurations before you boot into them. That's really cool and helps weed out a bunch of errors. Unfortunately, NixOS also allows you to write system configurations that result in your machine (mainly systemd on the machine) throwing up its hands and going "I have no idea how you want me to operate", locking you out of SSH access but requiring a reboot into a working configuration.
One example is the fileSystems attrset: If you add a mount point referencing a block device that doesn't exist, your system configuration will build, but nixos-rebuild test will cause systemd to enter emergency mode and then, good luck getting out of it.
The NixOS module in this repo is meant to help you avoid those situations!
Since a nixos system configuration possibly gets "built" somewhere other than the machine it runs on (and even if it's built on the same machine, it's in a sandbox), we can not rely on the build process to find all the issues.
Instead, this module writes an additional script into the system config closure's "out" directory, which just sits there most times (it's named pre-activate-safety-checks by default). This script is ignored and not used at all by nixos-rebuild, however.
But! If you're using a safety-aware deploy tool (e.g. deploy-flake by the author), you can instruct it to run the safety check program before activating your system; if that exits with a non-0 status, your tool knows that the system configuration isn't safe to apply and can exit before your machine drops off the network.
- Add it to your flake:
inputs = { # ... preroll-safety = "github:boinkor-net/preroll-safety"; }
- Include it as a module in your nixos configuration:
lib.nixosSystem { modules = [ inputs.preroll-safety.nixosModules.default # ... ] }
- Enable writing the safety script, in your system config:
preroll-safety.enable = true;
The repo comes with a few pre-defined checks. You can define your own, too. See those checks for examples! There are some nixos-vm based tests also.