diff --git a/.gitignore b/.gitignore index df76c9f..6d2562a 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ result result-* nixos-efi-vars.fd + +/.pre-commit-config.yaml diff --git a/flake.lock b/flake.lock index 45c2f05..202c827 100644 --- a/flake.lock +++ b/flake.lock @@ -83,6 +83,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -138,6 +154,49 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1769939035, + "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "a8ca480175326551d6c4121498316261cbb5b260", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -579,6 +638,7 @@ "colmena": "colmena", "disko": "disko", "firefox-addons": "firefox-addons", + "git-hooks": "git-hooks", "home-manager": "home-manager", "nix-on-droid": "nix-on-droid", "nix-secrets": "nix-secrets", diff --git a/flake.nix b/flake.nix index 2ee8b53..17f03b5 100644 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,10 @@ url = "github:zhaofengli/colmena"; inputs.nixpkgs.follows = "nixpkgs"; }; + git-hooks = { + url = "github:cachix/git-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -52,6 +56,7 @@ home-manager, nix-on-droid, nixgl, + git-hooks, ... }@inputs: let @@ -61,6 +66,10 @@ hostDirNames = utils.dirNames ./hosts; system = "x86_64-linux"; dotsPath = ./dots; + gitHooks = import ./git-hooks.nix { + inherit nixpkgs git-hooks system; + src = ./.; + }; in { nix.nixPath = [ @@ -128,6 +137,10 @@ ; }; + checks.${system} = gitHooks.checks; + formatter.${system} = gitHooks.formatter; + devShells.${system} = gitHooks.devShells; + images.sd-image-aarch64 = self.nixosConfigurations.sd-image-aarch64.config.system.build.sdImage; }; } diff --git a/git-hooks.nix b/git-hooks.nix new file mode 100644 index 0000000..9c41948 --- /dev/null +++ b/git-hooks.nix @@ -0,0 +1,44 @@ +{ + nixpkgs, + git-hooks, + system, + src, +}: +let + pkgs = nixpkgs.legacyPackages.${system}; + + pre-commit-check = git-hooks.lib.${system}.run { + inherit src; + hooks = { + nixfmt.enable = true; + statix.enable = true; + deadnix.enable = true; + }; + }; +in +{ + checks = { + inherit pre-commit-check; + }; + + formatter = + let + inherit (pre-commit-check) config; + inherit (config) package configFile; + script = '' + ${pkgs.lib.getExe package} run --all-files --config ${configFile} + ''; + in + pkgs.writeShellScriptBin "pre-commit-run" script; + + devShells = { + default = + let + inherit (pre-commit-check) shellHook enabledPackages; + in + pkgs.mkShell { + inherit shellHook; + buildInputs = enabledPackages; + }; + }; +} diff --git a/home/modules/git/default.nix b/home/modules/git/default.nix index 3b097fd..cc690a9 100644 --- a/home/modules/git/default.nix +++ b/home/modules/git/default.nix @@ -21,6 +21,6 @@ }; programs.gh.enable = config.github.enable; - home.packages = with pkgs; lib.optionals (config.gitlab.enable) [ glab ]; + home.packages = lib.optionals config.gitlab.enable [ pkgs.glab ]; }; } diff --git a/hosts/eetion/default.nix b/hosts/eetion/default.nix index 711d218..7ed9e00 100644 --- a/hosts/eetion/default.nix +++ b/hosts/eetion/default.nix @@ -13,26 +13,30 @@ in ../../modules/ssh/hardened-openssh.nix ]; - ssh.username = username; - ssh.publicHostname = "eetion"; - ssh.authorizedHosts = [ - "andromache" - "astyanax" - ]; + ssh = { + inherit username; + publicHostname = "eetion"; + authorizedHosts = [ + "andromache" + "astyanax" + ]; + }; boot.loader = { grub.enable = false; generic-extlinux-compatible.enable = true; }; - networking.hostName = hostName; - networking.networkmanager.enable = true; - networking.firewall = { - enable = true; - allowedTCPPorts = [ - 80 - 443 - ]; + networking = { + inherit hostName; + networkmanager.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + ]; + }; }; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; @@ -47,52 +51,54 @@ in security.sudo.wheelNeedsPassword = false; - services.openssh = { - enable = true; - harden = true; + services = { + openssh = { + enable = true; + harden = true; + }; + + paperless = { + enable = true; + passwordFile = "/etc/paperless-admin-pass"; + settings = { + PAPERLESS_URL = "http://paperless.eetion"; + }; + }; + + # added (OPNSense) domain override to make this work on LAN + # + # host: eetion + # domain: + # ip address: + # + # host: paperless + # domain: eetion + # ip address: + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "eetion" = { + default = true; + locations."/" = { + proxyPass = "http://127.0.0.1:5006"; + }; + }; + "paperless.eetion" = { + locations."/" = { + proxyPass = "http://127.0.0.1:28981"; + }; + }; + }; + }; }; environment.etc."paperless-admin-pass".text = "admin"; - services.paperless = { - enable = true; - passwordFile = "/etc/paperless-admin-pass"; - settings = { - PAPERLESS_URL = "http://paperless.eetion"; - }; - }; - - # added (OPNSense) domain override to make this work on LAN - # - # host: eetion - # domain: - # ip address: - # - # host: paperless - # domain: eetion - # ip address: - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts = { - "eetion" = { - default = true; - locations."/" = { - proxyPass = "http://127.0.0.1:5006"; - }; - }; - "paperless.eetion" = { - locations."/" = { - proxyPass = "http://127.0.0.1:28981"; - }; - }; - }; - }; - virtualisation = { podman.enable = true; oci-containers = { diff --git a/hosts/eetion/hard.nix b/hosts/eetion/hard.nix index b1d7022..73126c9 100644 --- a/hosts/eetion/hard.nix +++ b/hosts/eetion/hard.nix @@ -5,10 +5,12 @@ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot = { + initrd.availableKernelModules = [ ]; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; fileSystems."/" = { device = "/dev/disk/by-label/NIXOS_SD"; diff --git a/hosts/hecuba/default.nix b/hosts/hecuba/default.nix index 6da2a74..ee55337 100644 --- a/hosts/hecuba/default.nix +++ b/hosts/hecuba/default.nix @@ -1,8 +1,5 @@ { - lib, inputs, - outputs, - config, pkgs, ... }: @@ -23,12 +20,14 @@ in ]; networking.hostName = hostName; - ssh.username = username; - ssh.publicHostname = "server.hektormisplon.xyz"; - ssh.authorizedHosts = [ - "andromache" - "astyanax" - ]; + ssh = { + inherit username; + publicHostname = "server.hektormisplon.xyz"; + authorizedHosts = [ + "andromache" + "astyanax" + ]; + }; docker.user = username; diff --git a/modules/backups/default.nix b/modules/backups/default.nix index dbcb339..2ef35f4 100644 --- a/modules/backups/default.nix +++ b/modules/backups/default.nix @@ -28,23 +28,25 @@ in }; config = { - sops.secrets.b2_bucket_name = { }; + sops = { + secrets.b2_bucket_name = { }; - sops.templates."restic/repo-${config.networking.hostName}" = { - content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}"; - }; + templates."restic/repo-${config.networking.hostName}" = { + content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}"; + }; - sops.templates."restic/b2-env-${config.networking.hostName}" = { - content = '' - B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"} - B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"} - ''; + templates."restic/b2-env-${config.networking.hostName}" = { + content = '' + B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"} + B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"} + ''; + }; }; services.restic.backups.home = { repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path; - passwordFile = cfg.passwordFile; - paths = cfg.paths; + inherit (cfg) passwordFile; + inherit (cfg) paths; timerConfig = { OnCalendar = "daily"; Persistent = true;