computer-playbook/roles/dev-nix/tasks/install.yml

---
# Install Nix using a locally stored installer script with SHA256 verification.

- name: Ensure Nix installer script is present on target
  ansible.builtin.copy:
    src: "{{ dev_nix_installer_source }}"
    dest: "{{ dev_nix_installer_dest }}"
    mode: "0755"
  become: true

- name: Verify Nix installer SHA256 checksum
  ansible.builtin.command: >
    sh -c "sha256sum '{{ dev_nix_installer_dest }}' | awk '{print $1}'"
  register: dev_nix_checksum_result
  changed_when: false
  become: true

- name: Fail if Nix installer checksum does not match
  ansible.builtin.fail:
    msg: >-
      Nix installer checksum mismatch.
      Expected '{{ dev_nix_installer_sha256 }}', got '{{ dev_nix_checksum_result.stdout }}'.
      Refusing to execute the installer.
  when: dev_nix_checksum_result.stdout != dev_nix_installer_sha256

# Nix multi-user (daemon) mode: creates /nix/store when successful.
- name: Run Nix installer in daemon (multi-user) mode if Nix is not installed
  ansible.builtin.shell: >
    "{{ dev_nix_installer_dest }}" --daemon
  args:
    creates: "/nix/store"
  become: true

- name: Optionally drop shell snippet for Nix
  ansible.builtin.copy:
    dest: "{{ dev_nix_shell_snippet_path }}"
    mode: "0644"
    content: |
      # Added by dev-nix Ansible role
      if [ -e /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
      fi
  when: dev_nix_enable_shell_snippet | bool
  become: true