feat: set up git hooks

2026-02-07 11:37:18 +01:00
parent 7f0726f443
commit 6684e2e7fe
9 changed files with 209 additions and 81 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,5 @@ result
 result-*

 nixos-efi-vars.fd
+
+/.pre-commit-config.yaml
--- a/flake.lock
+++ b/flake.lock
@@ -83,6 +83,22 @@
        "type": "github"
      }
    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@@ -138,6 +154,49 @@
        "type": "github"
      }
    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769939035,
+        "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "a8ca480175326551d6c4121498316261cbb5b260",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -579,6 +638,7 @@
        "colmena": "colmena",
        "disko": "disko",
        "firefox-addons": "firefox-addons",
+        "git-hooks": "git-hooks",
        "home-manager": "home-manager",
        "nix-on-droid": "nix-on-droid",
        "nix-secrets": "nix-secrets",
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,10 @@
      url = "github:zhaofengli/colmena";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    git-hooks = {
+      url = "github:cachix/git-hooks.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
@@ -52,6 +56,7 @@
      home-manager,
      nix-on-droid,
      nixgl,
+      git-hooks,
      ...
    }@inputs:
    let
@@ -61,6 +66,10 @@
      hostDirNames = utils.dirNames ./hosts;
      system = "x86_64-linux";
      dotsPath = ./dots;
+      gitHooks = import ./git-hooks.nix {
+        inherit nixpkgs git-hooks system;
+        src = ./.;
+      };
    in
    {
      nix.nixPath = [
@@ -128,6 +137,10 @@
          ;
      };

+      checks.${system} = gitHooks.checks;
+      formatter.${system} = gitHooks.formatter;
+      devShells.${system} = gitHooks.devShells;
+
      images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage;
    };
 }
--- a/git-hooks.nix
+++ b/git-hooks.nix
@@ -0,0 +1,44 @@
+{
+  nixpkgs,
+  git-hooks,
+  system,
+  src,
+}:
+let
+  pkgs = nixpkgs.legacyPackages.${system};
+
+  pre-commit-check = git-hooks.lib.${system}.run {
+    inherit src;
+    hooks = {
+      nixfmt.enable = true;
+      statix.enable = true;
+      deadnix.enable = true;
+    };
+  };
+in
+{
+  checks = {
+    inherit pre-commit-check;
+  };
+
+  formatter =
+    let
+      inherit (pre-commit-check) config;
+      inherit (config) package configFile;
+      script = ''
+        ${pkgs.lib.getExe package} run --all-files --config ${configFile}
+      '';
+    in
+    pkgs.writeShellScriptBin "pre-commit-run" script;
+
+  devShells = {
+    default =
+      let
+        inherit (pre-commit-check) shellHook enabledPackages;
+      in
+      pkgs.mkShell {
+        inherit shellHook;
+        buildInputs = enabledPackages;
+      };
+  };
+}
--- a/home/modules/git/default.nix
+++ b/home/modules/git/default.nix
@@ -21,6 +21,6 @@
    };

    programs.gh.enable = config.github.enable;
-    home.packages = with pkgs; lib.optionals (config.gitlab.enable) [ glab ];
+    home.packages = lib.optionals config.gitlab.enable [ pkgs.glab ];
  };
 }
--- a/hosts/eetion/default.nix
+++ b/hosts/eetion/default.nix
@@ -13,26 +13,30 @@ in
    ../../modules/ssh/hardened-openssh.nix
  ];

-  ssh.username = username;
-  ssh.publicHostname = "eetion";
-  ssh.authorizedHosts = [
-    "andromache"
-    "astyanax"
-  ];
+  ssh = {
+    inherit username;
+    publicHostname = "eetion";
+    authorizedHosts = [
+      "andromache"
+      "astyanax"
+    ];
+  };

  boot.loader = {
    grub.enable = false;
    generic-extlinux-compatible.enable = true;
  };

-  networking.hostName = hostName;
-  networking.networkmanager.enable = true;
-  networking.firewall = {
-    enable = true;
-    allowedTCPPorts = [
-      80
-      443
-    ];
+  networking = {
+    inherit hostName;
+    networkmanager.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+    };
  };

  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@@ -47,52 +51,54 @@ in

  security.sudo.wheelNeedsPassword = false;

-  services.openssh = {
-    enable = true;
-    harden = true;
+  services = {
+    openssh = {
+      enable = true;
+      harden = true;
+    };
+
+    paperless = {
+      enable = true;
+      passwordFile = "/etc/paperless-admin-pass";
+      settings = {
+        PAPERLESS_URL = "http://paperless.eetion";
+      };
+    };
+
+    # added (OPNSense) domain override to make this work on LAN
+    #
+    # host: eetion
+    # domain: <domain (e.g. lan)>
+    # ip address: <eetion-ip>
+    #
+    # host: paperless
+    # domain: eetion
+    # ip address: <eetion-ip>
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts = {
+        "eetion" = {
+          default = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:5006";
+          };
+        };
+        "paperless.eetion" = {
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:28981";
+          };
+        };
+      };
+    };
  };

  environment.etc."paperless-admin-pass".text = "admin";

-  services.paperless = {
-    enable = true;
-    passwordFile = "/etc/paperless-admin-pass";
-    settings = {
-      PAPERLESS_URL = "http://paperless.eetion";
-    };
-  };
-
-  # added (OPNSense) domain override to make this work on LAN
-  #
-  # host: eetion
-  # domain: <domain (e.g. lan)>
-  # ip address: <eetion-ip>
-  #
-  # host: paperless
-  # domain: eetion
-  # ip address: <eetion-ip>
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    virtualHosts = {
-      "eetion" = {
-        default = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:5006";
-        };
-      };
-      "paperless.eetion" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:28981";
-        };
-      };
-    };
-  };
-
  virtualisation = {
    podman.enable = true;
    oci-containers = {
--- a/hosts/eetion/hard.nix
+++ b/hosts/eetion/hard.nix
@@ -5,10 +5,12 @@
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot.initrd.availableKernelModules = [ ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+  boot = {
+    initrd.availableKernelModules = [ ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };

  fileSystems."/" = {
    device = "/dev/disk/by-label/NIXOS_SD";
--- a/hosts/hecuba/default.nix
+++ b/hosts/hecuba/default.nix
@@ -1,8 +1,5 @@
 {
-  lib,
  inputs,
-  outputs,
-  config,
  pkgs,
  ...
 }:
@@ -23,12 +20,14 @@ in
  ];

  networking.hostName = hostName;
-  ssh.username = username;
-  ssh.publicHostname = "server.hektormisplon.xyz";
-  ssh.authorizedHosts = [
-    "andromache"
-    "astyanax"
-  ];
+  ssh = {
+    inherit username;
+    publicHostname = "server.hektormisplon.xyz";
+    authorizedHosts = [
+      "andromache"
+      "astyanax"
+    ];
+  };

  docker.user = username;

--- a/modules/backups/default.nix
+++ b/modules/backups/default.nix
@@ -28,23 +28,25 @@ in
  };

  config = {
-    sops.secrets.b2_bucket_name = { };
+    sops = {
+      secrets.b2_bucket_name = { };

-    sops.templates."restic/repo-${config.networking.hostName}" = {
-      content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
-    };
+      templates."restic/repo-${config.networking.hostName}" = {
+        content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
+      };

-    sops.templates."restic/b2-env-${config.networking.hostName}" = {
-      content = ''
-        B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
-        B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
-      '';
+      templates."restic/b2-env-${config.networking.hostName}" = {
+        content = ''
+          B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
+          B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
+        '';
+      };
    };

    services.restic.backups.home = {
      repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
-      passwordFile = cfg.passwordFile;
-      paths = cfg.paths;
+      inherit (cfg) passwordFile;
+      inherit (cfg) paths;
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;