Nixos module import: how to run arbitrary check scripts

aou · January 24, 2026, 10:55pm

For my headscale service definition, I’d like to run a check on the acl.json policy file at build time, what is the best way to do so? I currently add to environment.systemPackages a stub package that calls headscale policy check -f, but this seems clunky:

  environment.systemPackages = [
    (pkgs.stdenv.mkDerivation {
      name = "headscale-check-acl";
      src = ./acl.json;
      phases = [
        "installPhase"
        "checkPhase"
      ];
      installPhase = ''
        install -D $src $out/acl.json
      '';
      doCheck = true;
      checkPhase = ''
        ${config.services.headscale.package}/bin/headscale policy check -f $out/acl.json
      '';
    })
  ];

aou · January 25, 2026, 1:04am

answering my own question – it looks like pkgs.writeTextFile with a checkPhase is used in nixpkgs:

  aclFile = pkgs.writeTextFile {
    name = "acl.json";
    text = builtins.readFile ./acl.json;
    checkPhase = "${config.services.headscale.package}/bin/headscale policy check -f ${./acl.json}";
  };

tejing · January 25, 2026, 1:17am

Use system.checks instead of environment.systemPackages. It’s built for precisely this purpose.

Also, if the whole purpose is just the check, I would just use pkgs.runCommand. It’s less boilerplate than either approach you’ve shown here. (And avoids reading the file contents into a string just to put it back into a file…)