diff --git a/hosts/nb/users/codex-cli.nix b/hosts/nb/users/codex-cli.nix index 9bd826d..0168196 100644 --- a/hosts/nb/users/codex-cli.nix +++ b/hosts/nb/users/codex-cli.nix @@ -14,10 +14,30 @@ in { python314 # useful for codex model use jq # useful for JSON processing (pkgs.writeShellScriptBin "codex" '' - #!/usr/bin/env bash - export TMPDIR="''${TMPDIR:-$HOME/.cache/codex-tmp}" - export XDG_RUNTIME_DIR="''${XDG_RUNTIME_DIR:-$HOME/.cache/xdg-runtime}" - exec ${npmPrefix}/bin/codex "$@" + #!${pkgs.bash}/bin/bash + set -euo pipefail + + # Required dirs + mkdir -p "$HOME/.cache/codex-tmp" "$HOME/.cache/xdg-runtime" "$HOME/.config" "$HOME/.cache" "$HOME/.local/share" + chmod 700 "$HOME/.cache/codex-tmp" "$HOME/.cache/xdg-runtime" "$HOME/.config" "$HOME/.local/share" + + # Pass through cert vars if present (avoids TLS issues) + EXTRA_ENV=() + [ -n "''${SSL_CERT_FILE-}" ] && EXTRA_ENV+=(SSL_CERT_FILE="$SSL_CERT_FILE") + [ -n "''${NIX_SSL_CERT_FILE-}" ] && EXTRA_ENV+=(NIX_SSL_CERT_FILE="$NIX_SSL_CERT_FILE") + + exec env -i \ + HOME="$HOME" \ + USER="''${USER:-$LOGNAME}" \ + SHELL="''${SHELL:-${pkgs.bash}/bin/bash}" \ + PATH="/run/current-system/sw/bin:/usr/bin:/bin" \ + XDG_RUNTIME_DIR="$HOME/.cache/xdg-runtime" \ + TMPDIR="$HOME/.cache/codex-tmp" \ + XDG_CONFIG_HOME="$HOME/.config" \ + XDG_CACHE_HOME="$HOME/.cache" \ + XDG_DATA_HOME="$HOME/.local/share" \ + "''${EXTRA_ENV[@]}" \ + ${npmPrefix}/bin/codex "$@" '') ]; @@ -40,11 +60,6 @@ in { NPM_CONFIG_PREFIX = npmPrefix; }; - home.activation.ensureCodexDirs = lib.hm.dag.entryAfter [ "writeBoundary" ] '' - install -d -m 700 "${config.home.homeDirectory}/.cache/codex-tmp" - install -d -m 700 "${config.home.homeDirectory}/.cache/xdg-runtime" - ''; - # Auto-install @openai/codex if it's not already there # (idempotent on each `home-manager switch`) home.activation.installCodexCli = lib.hm.dag.entryAfter [ "writeBoundary" ] ''