From e126e33d547fc5546a090bb8e4e27ed558272492 Mon Sep 17 00:00:00 2001
From: joshp123 <joshp123@users.noreply.github.com>
Date: Sun, 15 Feb 2026 15:31:39 -0800
Subject: [PATCH] Stamp deployed revision and verify after switch

Set system.configurationRevision from flake rev and have fleet switch verify it matches the deployed git SHA.
---
 flake.nix                     | 9 +++++++++
 scripts/fleet-switch-nixos.sh | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index 16f3eab..7529ae7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,11 @@
       systems = [ "x86_64-linux" "aarch64-linux" ];
       forAllSystems = f: lib.genAttrs systems (system: f system);
       clawbotOverlay = nix-openclaw.overlays.default;
+
+      revisionModule = { ... }: {
+        system.configurationRevision =
+          if self ? rev then self.rev else (self.dirtyRev or null);
+      };
     in
     {
       nixosModules.clawdinator = import ./nix/modules/clawdinator.nix;
@@ -45,6 +50,7 @@
         system = "x86_64-linux";
         modules = [
           ({ ... }: { nixpkgs.overlays = [ self.overlays.default ]; })
+          revisionModule
           agenix.nixosModules.default
           nix-openclaw.nixosModules.openclaw-gateway
           ./nix/hosts/clawdinator-1.nix
@@ -55,6 +61,7 @@
         system = "x86_64-linux";
         modules = [
           ({ ... }: { nixpkgs.overlays = [ self.overlays.default ]; })
+          revisionModule
           agenix.nixosModules.default
           nix-openclaw.nixosModules.openclaw-gateway
           ./nix/hosts/clawdinator-2.nix
@@ -65,6 +72,7 @@
         system = "x86_64-linux";
         modules = [
           ({ ... }: { nixpkgs.overlays = [ self.overlays.default ]; })
+          revisionModule
           agenix.nixosModules.default
           nix-openclaw.nixosModules.openclaw-gateway
           ./nix/hosts/clawdinator-babelfish.nix
@@ -75,6 +83,7 @@
         system = "x86_64-linux";
         modules = [
           ({ ... }: { nixpkgs.overlays = [ self.overlays.default ]; })
+          revisionModule
           agenix.nixosModules.default
           nix-openclaw.nixosModules.openclaw-gateway
           ./nix/hosts/clawdinator-1-image.nix
diff --git a/scripts/fleet-switch-nixos.sh b/scripts/fleet-switch-nixos.sh
index 926f292..46f6aee 100755
--- a/scripts/fleet-switch-nixos.sh
+++ b/scripts/fleet-switch-nixos.sh
@@ -24,6 +24,6 @@ for host in "${hosts[@]}"; do
   # Run everything under bash -lc so PATH + profiles behave similarly to an interactive session.
   # We also force flakes enabled for safety.
   bash scripts/aws-ssm-run.sh "${instance_id}" \
-    "bash -lc 'set -euo pipefail; export NIX_CONFIG=\"experimental-features = nix-command flakes\"; nixos-rebuild switch --accept-flake-config --flake github:openclaw/clawdinators/${rev}#${host}; systemctl is-active clawdinator'"
+    "bash -lc 'set -euo pipefail; export NIX_CONFIG=\"experimental-features = nix-command flakes\"; nixos-rebuild switch --accept-flake-config --flake github:openclaw/clawdinators/${rev}#${host}; systemctl is-active clawdinator; test \"$(cat /run/current-system/configurationRevision || true)\" = \"${rev}\"'"
 
 done