feat: add template

template/.envrc

@@ -0,0 +1 @@
+use flake

template/.gitignore

@@ -0,0 +1,8 @@
+.direnv/
+.pre-commit-config.yaml
+
+bazel-*
+build/
+dist/
+
+node_modules/

template/.gitleaks.toml

@@ -0,0 +1,45 @@
+# .gitleaks.toml
+title = "gitleaks config"
+
+[extend]
+# extend the default ruleset rather than replacing it
+useDefault = true
+
+[allowlist]
+description = "Global allowlist"
+paths = [
+  # lock files often contain hashes that trip up gitleaks
+  '''flake\.lock''',
+  '''package-lock\.json''',
+  '''yarn\.lock''',
+  '''bun\.lockb''',
+]
+regexes = [
+  # nix store hashes
+  '''/nix/store/[a-z0-9]{32}-''',
+]
+
+[[rules]]
+id = "generic-api-key-extended"
+description = "Extended generic API key detection"
+regex = '''(?i)(api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\s*[:=]\s*['"]?[a-zA-Z0-9_\-]{16,}['"]?'''
+entropy = 3.5
+tags = ["api", "key", "token"]
+
+[[rules]]
+id = "private-key-file"
+description = "Private key files"
+regex = '''-----BEGIN (RSA|EC|DSA|OPENSSH|PGP) PRIVATE KEY'''
+tags = ["key", "private"]
+
+[[rules]]
+id = "environment-file"
+description = "Committed .env files"
+path = '''(^|/)\.env(\.[a-z]+)?$'''
+regex = '''.+'''
+tags = ["env"]
+[rules.allowlist]
+  paths = [
+    # allow .env.example and .env.template
+    '''\.env\.(example|template|sample)$''',
+  ]

template/.gitlint

@@ -0,0 +1,8 @@
+[general]
+ignore=B6
+
+[title-max-length]
+line-length=72
+
+[title-match-regex]
+regex=^(feat|fix|chore|docs|refactor|test|ci)(\(.+\))?: .+

template/flake.nix

@@ -0,0 +1,92 @@
+# flake.nix — product repo template
+{
+  description = "my-product";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    devshell-lib.url = "github:yourorg/devshell-lib";
+    devshell-lib.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      devshell-lib,
+      ...
+    }:
+    let
+      supportedSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
+    in
+    {
+      devShells = forAllSystems (
+        system:
+        let
+          pkgs = import nixpkgs { inherit system; };
+          env = devshell-lib.lib.mkDevShell {
+            inherit system;
+
+            extraPackages = with pkgs; [
+              # add your tools here, e.g.:
+              # go
+              # bun
+              # rustc
+            ];
+
+            features = {
+              # oxfmt = true;  # enables oxfmt + oxlint from nixpkgs
+            };
+
+            formatters = {
+              # shfmt.enable = true;
+              # gofmt.enable = true;
+            };
+
+            formatterSettings = {
+              # shfmt.options = [ "-i" "2" "-s" "-w" ];
+              # oxfmt.includes = [ "*.ts" "*.tsx" "*.js" "*.json" ];
+            };
+
+            additionalHooks = {
+              # my-hook = {
+              #   enable = true;
+              #   entry = "${pkgs.some-tool}/bin/some-tool";
+              #   pass_filenames = false;
+              # };
+            };
+
+            tools = [
+              # { name = "Bun";   bin = "${pkgs.bun}/bin/bun";    versionCmd = "--version"; color = "YELLOW"; }
+              # { name = "Go";    bin = "${pkgs.go}/bin/go";       versionCmd = "version";   color = "CYAN";   }
+              # { name = "Rust";  bin = "${pkgs.rustc}/bin/rustc"; versionCmd = "--version"; color = "YELLOW"; }
+            ];
+
+            extraShellHook = ''
+              # any repo-specific shell setup here
+            '';
+          };
+        in
+        {
+          default = env.shell;
+        }
+      );
+
+      checks = forAllSystems (
+        system:
+        let
+          env = devshell-lib.lib.mkDevShell { inherit system; };
+        in
+        {
+          inherit (env) pre-commit-check;
+        }
+      );
+
+      formatter = forAllSystems (system: (devshell-lib.lib.mkDevShell { inherit system; }).formatter);
+    };
+}