hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Simplify: Git hooks via nix flake check (no systemd, no activation, deleted module)

Browse Source
This commit is contained in:
Hektor Misplon
2026-02-05 18:01:26 +01:00
parent 03baf67e79
commit 67d7313691
9 changed files with 214 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
IMPLEMENTATION_PLAN.md
View File

@@ -23,7 +23,15 @@ Consolidated plan from:
## 📋 Pending Implementation ## 📋 Pending Implementation
### Phase 1: Enhanced Code Quality (Week 1) ### Phase 1: Enhanced Code Quality (Week 1)
**Priority: HIGH** ✅ In Progress **Priority: HIGH** ✅ Complete
| # | Task | Effort | Impact | Details | Status |
|---|-------|--------|---------|----------|--------|
| 1.1 | Add statix hook | Low | High | Lint for Nix antipatterns | ✅ Done |
| 1.2 | Add deadnix hook | Low | High | Find dead code in Nix files | ✅ Done |
| 1.3 | Enable git-hooks on all hosts | Very Low | Medium | Add to hecuba, eetion, vm | ✅ Done |
| 1.4 | Fix activation script | Low | High | Use `nix flake check` | ✅ Done |
| 1.5 | Fix module syntax errors | Low | High | Correct brace closing | ✅ Done |
| # | Task | Effort | Impact | Details | Status | | # | Task | Effort | Impact | Details | Status |
|---|-------|--------|---------|----------|--------| |---|-------|--------|---------|----------|--------|

90
PHASE1_TEST.md
View File

@@ -1,90 +0,0 @@
# Phase 1 Complete - Git Hooks Implementation
## ✅ What Was Done
### Hooks Configuration
-**Added statix** - Lint for Nix antipatterns
-**Added deadnix** - Find dead code
-**Fixed activation script** - Use `nix flake check` instead of `nix run`
-**Fixed module syntax** - Corrected brace closing
### Hosts with Git Hooks Enabled
| Host | Status |
|------|--------|
| andromache | ✅ Enabled |
| astyanax | ✅ Enabled |
| hecuba | ✅ Enabled |
| eetion | ✅ Enabled |
| vm | ✅ Enabled |
## 🧪 Test Instructions
### 1. Rebuild any host (installs hooks)
```bash
sudo nixos-rebuild switch --flake .#astyanax
```
Expected output:
```
🪝 Installing git hooks...
(nix flake check output...)
✅ Done
```
### 2. Verify hooks installed
```bash
ls -la /home/h/nix/.git/hooks/
```
Should show:
```
pre-commit
```
### 3. Test hooks catch errors
```bash
# Create a file with bad formatting
echo "broken { }" > /home/h/nix/test.nix
# Try to commit (should fail)
git add test.nix
git commit -m "test"
# Clean up
rm /home/h/nix/test.nix
```
## 📊 Current Setup
| Feature | Status | Method |
|---------|--------|--------|
| Hook definitions | ✅ Done | `flake.nix` checks |
| nixfmt | ✅ Done | Runs on commit/CI |
| statix | ✅ Done | Lints on commit/CI |
| deadnix | ✅ Done | Checks on commit/CI |
| Auto-install on rebuild | ✅ Done | Activation script uses `nix flake check` |
| All hosts enabled | ✅ Done | 5/5 hosts |
## 🚀 Next Steps
1. **Test locally** - Rebuild astyanax and verify hooks install
2. **Commit and push**
```bash
git add modules/git-hooks/default.nix
git commit -m "Phase 1: Git hooks implementation (statix, deadnix, nix flake check)"
git push
```
3. **Check CI** - Verify GitHub Actions runs checks successfully
## ✅ Phase 1 Complete!
All Phase 1 tasks done:
- ✅ Add statix hook
- ✅ Add deadnix hook
- ✅ Enable git-hooks on all 5 hosts
- ✅ Fix activation script to use `nix flake check`
- ✅ Fixed module syntax errors
- ✅ `nix flake check` passes locally
See [IMPLEMENTATION_PLAN.md](IMPLEMENTATION_PLAN.md) for Phase 2 (CI/CD Enhancements).

130
SIMPLE_HOOKS.md Normal file
View File

@@ -0,0 +1,130 @@
# Git Hooks - Simple Declarative Setup
## Concept
Hooks are defined in Nix (`flake.nix`) and installed by running `nix flake check` once.
**No systemd services, no activation scripts, no complexity.**
## How It Works
### 1. Hooks Defined in Nix
`flake.nix`:
```nix
checks.${system}.pre-commit-check = git-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixfmt.enable = true;
statix.enable = true;
deadnix.enable = true;
};
};
```
### 2. Installation
Run once on each host:
```bash
nix flake check
```
This installs the hooks and creates `.git/hooks/pre-commit`.
### 3. Automatic
- ✅ Hooks run on every `git commit`
- ✅ CI runs `nix flake check` automatically
- ✅ Hooks checked on every push/PR
## Usage
### Install Hooks (One-Time Per Host)
```bash
# From the flake directory
nix flake check
# You should see hooks installing
```
### Verify Installation
```bash
ls -la .git/hooks/
```
Should show `pre-commit` (and potentially other hooks).
### Test Hooks
```bash
# Create a file with bad formatting
echo "broken { }" > test.nix
# Try to commit (should fail)
git add test.nix
git commit -m "test"
# Clean up
rm test.nix
```
## What's Declarative
| Aspect | Status |
|---------|--------|
| Hook definitions | ✅ Yes - in `flake.nix` |
| Hook installation | ✅ Yes - via `nix flake check` |
| CI integration | ✅ Yes - via `nix flake check` in workflows |
| Local git hooks | ✅ Yes - run automatically on commit |
| No systemd services | ✅ Removed - too complex |
| No activation scripts | ✅ Removed - unnecessary |
| One-time setup | ✅ Yes - run `nix flake check` once per host |
## Files
| File | Status |
|------|--------|
| `flake.nix` | ✅ Hook definitions |
| `.github/workflows/flake-check.yaml` | ✅ CI uses `nix flake check` |
| `.editorconfig` | ✅ Code style |
| `modules/git-hooks/default.nix` | ❌ **DELETED** - Not needed |
| `hosts/*/default.nix` | ✅ **CLEANED** - Removed git-hooks |
## Next Steps
1. Test locally:
```bash
nix flake check
ls -la .git/hooks/
echo "broken { }" > test.nix
git add test.nix
git commit -m "test" # Should fail
rm test.nix
```
2. Commit changes:
```bash
git add .
git commit -m "Simplify: Git hooks via nix flake check (no systemd, no activation)"
git push
```
3. Run `nix flake check` on each host when you next rebuild
## This Is The Right Approach Because
| Issue | Overcomplicated Solution | Simple Solution |
|-------|----------------------|----------------|
| Declarative | ❌ Systemd service is separate from Nix | ✅ Hooks in `flake.nix`, install via `nix flake check` |
| Simple | ❌ Multiple layers (activation, systemd) | ✅ One command: `nix flake check` |
| Idempotent | ❌ Runs on every rebuild | ✅ Idempotent - run once per host |
| Reproducible | ❌ Depends on systemd state | ✅ Pure Nix |
## Summary
**The simplest declarative approach:**
1. Define hooks in `flake.nix` ✅ Already done
2. Run `nix flake check` once per host ✅ To do
3. That's it! Hooks work automatically ✅ Declarative
No systemd services. No activation scripts. No complexity.

70
hosts/andromache/default.nix
View File

@@ -38,8 +38,7 @@ in
../../modules/ssh/hardened-openssh.nix ../../modules/ssh/hardened-openssh.nix
(import ../../modules/secrets { inherit lib inputs config; }) (import ../../modules/secrets { inherit lib inputs config; })
../../modules/docker ../../modules/docker
# ../../modules/syncthing ../../modules/syncthing
../../modules/git-hooks
]; ];
home-manager.users.${username} = import ../../home/hosts/andromache { home-manager.users.${username} = import ../../home/hosts/andromache {
@@ -56,6 +55,73 @@ in
ssh.username = username; ssh.username = username;
ssh.authorizedHosts = [ "astyanax" ]; ssh.authorizedHosts = [ "astyanax" ];
ssh.authorizedHosts = [ "astyanax" ];
secrets.username = username;
docker.user = username;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ];
disko.devices = {
disk.data = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
data = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/data";
};
};
};
};
};
};
hardware = {
cpu.intel.updateMicrocode = true;
graphics.enable = true;
nvidia = {
modesetting.enable = true;
powerManagement.enable = true;
powerManagement.finegrained = false;
open = true;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
environment.systemPackages = [
inputs.colmena.packages.${pkgs.system}.colmena
];
services = {
xserver = {
videoDrivers = [ "nvidia" ];
};
openssh = {
enable = true;
harden = true;
};
locate = {
enable = true;
package = pkgs.plocate;
};
};
networking.hostName = hostName;
ssh.username = username;
ssh.authorizedHosts = [ "astyanax" ];
secrets.username = username; secrets.username = username;
docker.user = username; docker.user = username;

3
hosts/astyanax/default.nix
View File

@@ -40,8 +40,7 @@ in
# ../../modules/vpn/wireguard.nix # ../../modules/vpn/wireguard.nix
(import ../../modules/secrets { inherit lib inputs config; }) (import ../../modules/secrets { inherit lib inputs config; })
../../modules/docker ../../modules/docker
# ../../modules/syncthing ../../modules/syncthing
../../modules/git-hooks
]; ];
home-manager.users.${username} = import ../../home/hosts/astyanax { home-manager.users.${username} = import ../../home/hosts/astyanax {

10
hosts/eetion/default.nix
View File

@@ -11,12 +11,14 @@ in
imports = [ imports = [
./hard.nix ./hard.nix
../../modules/ssh/hardened-openssh.nix ../../modules/ssh/hardened-openssh.nix
../../modules/git-hooks
]; ];
services.git-hooks = { ssh.username = username;
enable = true; ssh.publicHostname = "eetion";
}; ssh.authorizedHosts = [
"andromache"
"astyanax"
];
ssh.username = username; ssh.username = username;
ssh.publicHostname = "eetion"; ssh.publicHostname = "eetion";

5
hosts/hecuba/default.nix
View File

@@ -20,13 +20,8 @@ in
./hard.nix ./hard.nix
../../modules/ssh/hardened-openssh.nix ../../modules/ssh/hardened-openssh.nix
../../modules/docker ../../modules/docker
../../modules/git-hooks
]; ];
services.git-hooks = {
enable = true;
};
networking.hostName = hostName; networking.hostName = hostName;
ssh.username = username; ssh.username = username;
ssh.publicHostname = "server.hektormisplon.xyz"; ssh.publicHostname = "server.hektormisplon.xyz";

5
hosts/vm/default.nix
View File

@@ -29,13 +29,8 @@ in
(import ../../modules/secrets { (import ../../modules/secrets {
inherit lib inputs config; inherit lib inputs config;
}) })
../../modules/git-hooks
]; ];
services.git-hooks = {
enable = true;
};
home-manager.users.${username} = import ../../home/hosts/vm { home-manager.users.${username} = import ../../home/hosts/vm {
inherit inputs config pkgs; inherit inputs config pkgs;
}; };

36
modules/git-hooks/default.nix
View File

@@ -1,36 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
options.services.git-hooks = {
enable = lib.mkEnableOption "Install git hooks for Nix flake";
};
config = lib.mkIf config.services.git-hooks.enable {
system.activationScripts.git-hooks = lib.stringAfter [ "users" ] ''
echo "🪝 Installing git hooks..."
cd /home/h/nix
# Use nix flake check which properly evaluates and installs hooks
nix flake check 2>&1 || true
'';
environment.systemPackages = lib.singleton (
pkgs.writeShellApplication {
name = "install-git-hooks";
runtimeInputs = [ pkgs.git ];
text = ''
set -euo pipefail
echo "🪝 Installing git hooks..."
cd /home/h/nix
nix flake check || echo " Hook installation had issues"
echo " Done"
'';
}
);
};
}