From afea7fe5e77b057f7da2bec38f70d3ba300271eb Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Wed, 19 Jun 2024 11:24:33 +0000
Subject: [PATCH] scripts/deploy: implement a dry-run mode

---
 scripts/deploy | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/scripts/deploy b/scripts/deploy
index 34b2e0fc..0b56bacb 100755
--- a/scripts/deploy
+++ b/scripts/deploy
@@ -9,6 +9,7 @@ usage() {
   echo "usage: deploy [options] [host] [host2 ...]"
   echo "options:"
   echo "- --action copy|switch|test   (default: 'switch')"
+  echo "- --dry-run: show what would be done without actually doing it"
   echo "- --variant light|min|''|all  (default: '')"
   echo "- --pre: alias for --action copy --variant all all"
   echo ""
@@ -30,6 +31,7 @@ defaultHost="$SELF"
 variants=()
 defaultVariant=
 nixArgs=()
+dryRun=
 addHost() {
   if [ "$1" = all ]; then
     # order matters:
@@ -72,6 +74,9 @@ parseArgs() {
         defaultVariant=all
         defaultHost=all
         ;;
+      (--dry-run)
+        dryRun=1
+        ;;
       (*)
         nixArgs+=("$arg")
         ;;
@@ -86,6 +91,14 @@ parseArgs() {
   fi
 }
 
+destructive() {
+  if [ -z "$dryRun" ]; then
+    "$@"
+  else
+    echo "dry-run: $@"
+  fi
+}
+
 runOnTarget() {
   # run the command ($@) on the machine we're deploying to.
   # if that's a remote machine, then do it via ssh, else local shell.
@@ -104,7 +117,7 @@ deployOneHost() {
   local variant="$2"
 
   info "building $host$variant ..."
-  nix-build -A "hosts.$host$variant.toplevel" --out-link "./build/result-$host$variant" "${nixArgs[@]}" || return 1
+  destructive nix-build -A "hosts.$host$variant.toplevel" --out-link "./build/result-$host$variant" "${nixArgs[@]}" || return 1
   storePath="$(readlink ./build/result-$host$variant)"
   info "build $host$variant -> $storePath"
 
@@ -120,20 +133,20 @@ deployOneHost() {
   if [ -n "$host" ] && [ "$host" != "$SELF" ]; then
     if [ -e /run/secrets/nix_signing_key ]; then
       info "signing store paths ..."
-      sudo nix store sign -r -k /run/secrets/nix_signing_key "$storePath"
+      destructive sudo nix store sign -r -k /run/secrets/nix_signing_key "$storePath"
     else
       info "not signing store paths: /run/secrets/nix_signing_key does not exist"
     fi
     # add more `-v` for more verbosity (up to 5).
     # builders-use-substitutes false: optimizes so that the remote machine doesn't try to get paths from its substituters.
     #   we already have all paths here, and the remote substitution is slow to check and SERIOUSLY flaky on moby in particular.
-    nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$host" "$storePath" || return 1
+    destructive nix copy -vv --option builders-use-substitutes false --to "ssh-ng://$host" "$storePath" || return 1
   fi
 
   if [ -n "$action" ] && [ "$action" != "copy" ]; then
     info "activating profile... "
-    runOnTarget sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath" || return 1
-    runOnTarget sudo "$storePath/bin/switch-to-configuration" "$action" || return 1
+    destructive runOnTarget sudo nix-env -p /nix/var/nix/profiles/system --set "$storePath" || return 1
+    destructive runOnTarget sudo "$storePath/bin/switch-to-configuration" "$action" || return 1
   fi
 }