flake.nix

@@ -30,7 +30,6 @@
             packages = with pkgs; [
               agenix.packages.${system}.default
               just
-              nh
               nixfmt-rfc-style
               statix
             ];

justfile

@@ -5,25 +5,20 @@ check:
     nix flake check
 
 switch *args:
-    @sudo -v
+    bash switch.sh {{ justfile_directory() }} {{args}}
-    nh os switch --no-nom --ask . -- --keep-going {{args}}
 
 rollback:
-    @sudo -v
     sudo nixos-rebuild switch --rollback
 
 boot *args:
-    @sudo -v
+    sudo nixos-rebuild boot --flake {{ justfile_directory() }} --keep-going {{args}}
-    nh os boot --no-nom --ask . -- --keep-going {{args}}
 
 deploy system user="leo":
     #!/usr/bin/env bash
-    set -euxo pipefail
+    set -euo pipefail
     flake=$(nix eval --impure --raw --expr "(builtins.getFlake \"git+file://$PWD\").outPath")
     nix copy "$flake" --to "ssh://{{user}}@{{system}}"
-    # -R/--bypass-root-check is needed because of a Git CVE regression in Nix 2.20
+    ssh -t "{{user}}@{{system}}" "bash $flake/switch.sh $flake"
-    # See NixOS/nix#10202, viperML/nh#200
-    ssh -t "{{user}}@{{system}}" "sudo flock -w 60 /dev/shm/deploy-{{system}} nix run n#nh -- os switch --no-nom -R -H {{system}} --ask $flake"
 
 lint *args:
     statix check -i flake.nix **/hardware-configuration.nix {{args}}

switch.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+bold=$(tput bold)
+reset=$(tput sgr0)
+
+flake="$1"
+
+echo "${bold}Building configuration...$reset"
+configuration=$(sudo nixos-rebuild dry-activate --flake "$flake" --keep-going "${@:2}")
+echo "$configuration"
+
+nix run "$flake#nixosConfigurations.$(hostname).pkgs.nvd" -- diff /run/current-system "$configuration"
+
+read -n1 -rp "${bold}Activate new configuration? [y/N]$reset " answer
+echo
+
+if [[ $answer =~ ^[Yy]$ ]]; then
+  sudo "$configuration/bin/switch-to-configuration" switch
+else
+  echo "${bold}Not activating :($reset"
+  exit 1
+fi