From 954caa500bf9d282f737076298491bbb89a98c90 Mon Sep 17 00:00:00 2001 From: Eric Date: Wed, 4 Mar 2026 08:26:46 +0100 Subject: [PATCH] feat: update nix flake --- .envrc | 1 + .gitignore | 6 ++ .gitleaks.toml | 45 +++++++++++ flake.lock | 63 ++++++++++----- flake.nix | 211 +++++++++++++++++++++---------------------------- 5 files changed, 187 insertions(+), 139 deletions(-) create mode 100644 .envrc create mode 100644 .gitleaks.toml diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore index 263f5fd..00b4e1f 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,12 @@ # based on the name of the directory bazel is cloned into. /bazel-* +.direnv/ +.pre-commit-config.yaml +build/ +dist/ +node_modules/ + # Directories for the Bazel IntelliJ plugin containing the generated # IntelliJ project files and plugin configuration. Seperate directories are # for the IntelliJ, Android Studio and CLion versions of the plugin. diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..1afec6d --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,45 @@ +# .gitleaks.toml +title = "gitleaks config" + +[extend] +# extend the default ruleset rather than replacing it +useDefault = true + +[allowlist] +description = "Global allowlist" +paths = [ + # lock files often contain hashes that trip up gitleaks + '''flake\.lock''', + '''package-lock\.json''', + '''yarn\.lock''', + '''bun\.lockb''', +] +regexes = [ + # nix store hashes + '''/nix/store/[a-z0-9]{32}-''', +] + +[[rules]] +id = "generic-api-key-extended" +description = "Extended generic API key detection" +regex = '''(?i)(api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\s*[:=]\s*['"]?[a-zA-Z0-9_\-]{16,}['"]?''' +entropy = 3.5 +tags = ["api", "key", "token"] + +[[rules]] +id = "private-key-file" +description = "Private key files" +regex = '''-----BEGIN (RSA|EC|DSA|OPENSSH|PGP) PRIVATE KEY''' +tags = ["key", "private"] + +[[rules]] +id = "environment-file" +description = "Committed .env files" +path = '''(^|/)\.env(\.[a-z]+)?$''' +regex = '''.+''' +tags = ["env"] +[rules.allowlist] + paths = [ + # allow .env.example and .env.template + '''\.env\.(example|template|sample)$''', + ] diff --git a/flake.lock b/flake.lock index 73bcd98..7f4f24d 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "devshell-lib": { + "inputs": { + "git-hooks": "git-hooks", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1772609129, + "narHash": "sha256-ha7H2OhxoLhkDVgKtgkJc8yO3f0rKlPZZTJYyc+rfLI=", + "ref": "v1.0.3", + "rev": "cdc9e180353b1a1105bbcdad18dc3938ea3e88a3", + "revCount": 31, + "type": "git", + "url": "https://git.dgren.dev/eric/nix-flake-lib" + }, + "original": { + "ref": "v1.0.3", + "type": "git", + "url": "https://git.dgren.dev/eric/nix-flake-lib" + } + }, "flake-compat": { "flake": false, "locked": { @@ -39,6 +62,7 @@ "gitignore": { "inputs": { "nixpkgs": [ + "devshell-lib", "git-hooks", "nixpkgs" ] @@ -74,22 +98,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1772542754, - "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1770107345, "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=", @@ -105,16 +113,31 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1772542754, + "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_2", - "treefmt-nix": "treefmt-nix" + "devshell-lib": "devshell-lib", + "nixpkgs": "nixpkgs_3" } }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1770228511, diff --git a/flake.nix b/flake.nix index 4663590..7c560ab 100644 --- a/flake.nix +++ b/flake.nix @@ -3,17 +3,16 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - git-hooks.url = "github:cachix/git-hooks.nix"; - treefmt-nix.url = "github:numtide/treefmt-nix"; + devshell-lib.url = "git+https://git.dgren.dev/eric/nix-flake-lib?ref=v1.0.3"; + devshell-lib.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { - self, nixpkgs, - treefmt-nix, + devshell-lib, ... - }@inputs: + }: let supportedSystems = [ "x86_64-linux" @@ -22,147 +21,121 @@ "aarch64-darwin" ]; forAllSystems = nixpkgs.lib.genAttrs supportedSystems; - treefmtEvalFor = - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - in - treefmt-nix.lib.evalModule pkgs { - projectRootFile = "flake.nix"; - - programs = { - nixfmt.enable = true; - shfmt.enable = true; - oxfmt.enable = true; - }; - - settings = { - formatter = { - shfmt = { - options = [ - "-i" - "2" - "-s" - "-w" - ]; - }; - oxfmt = { - includes = [ - "*.md" - "*.yaml" - "*.yml" - "*.json" - "*.html" - "*.css" - "*.js" - "*.ts" - "*.tsx" - "*.svelte" - ]; - }; - }; - }; - }; in { - formatter = forAllSystems (system: (treefmtEvalFor system).config.build.wrapper); - - checks = forAllSystems ( - system: - let - pkgs = import nixpkgs { inherit system; }; - in - { - pre-commit-check = inputs.git-hooks.lib.${system}.run { - src = ./.; - hooks = { - treefmt = { - enable = true; - entry = "${(treefmtEvalFor system).config.build.wrapper}/bin/treefmt"; - pass_filenames = true; - }; - gitlint.enable = true; - - gitleaks = { - enable = true; - entry = "${pkgs.gitleaks}/bin/gitleaks protect --staged"; - pass_filenames = false; - }; - - tests = { - enable = true; - entry = "echo 'No tests defined yet.'"; - pass_filenames = false; - stages = [ - "pre-push" - ]; - }; - }; - }; - } - ); - devShells = forAllSystems ( system: let pkgs = import nixpkgs { inherit system; }; - inherit (self.checks.${system}.pre-commit-check) shellHook enabledPackages; - customShellHook = shellHook + ""; bazel9 = pkgs.writeShellScriptBin "bazel" '' export USE_BAZEL_VERSION="''${USE_BAZEL_VERSION:-9.0.0}" exec ${pkgs.bazelisk}/bin/bazelisk "$@" ''; + env = devshell-lib.lib.mkDevShell { + inherit system; - in - { - default = pkgs.mkShell { - packages = with pkgs; [ + extraPackages = with pkgs; [ go gopls gotools - bun - gitlint bazel9 bazel-buildtools ]; - shellHook = '' - ${customShellHook} - export USE_BAZEL_VERSION="''${USE_BAZEL_VERSION:-9.0.0}" - export BUN_INSTALL="''${BUN_INSTALL:-$HOME/.bun}" - export PATH="$BUN_INSTALL/bin:$PATH" + features = { + oxfmt = true; + }; - if ! command -v oxfmt >/dev/null 2>&1; then - bun add --global oxfmt - fi + formatters = { + shfmt.enable = true; + }; - if ! command -v oxlint >/dev/null 2>&1; then - bun add --global oxlint - fi + formatterSettings = { + shfmt.options = [ + "-i" + "2" + "-s" + "-w" + ]; + }; - if [ -t 1 ]; then - if command -v tput >/dev/null 2>&1; then - tput clear - else - printf '\033c' - fi - fi + additionalHooks = { + tests = { + enable = true; + entry = "echo 'No tests defined yet.'"; + pass_filenames = false; + stages = [ "pre-push" ]; + }; + }; - GREEN='\033[1;32m' - CYAN='\033[1;36m' - YELLOW='\033[1;33m' - BLUE='\033[1;34m' - RESET='\033[0m' + tools = [ + { + name = "Bun"; + bin = "${pkgs.bun}/bin/bun"; + versionCmd = "--version"; + color = "YELLOW"; + } + { + name = "Go"; + bin = "${pkgs.go}/bin/go"; + versionCmd = "version"; + color = "CYAN"; + } + { + name = "Bazel"; + bin = "${bazel9}/bin/bazel"; + versionCmd = "--version"; + color = "BLUE"; + } + ]; - printf "\n$GREEN 🚀 Monorepo dev shell ready$RESET\n\n" - printf " $CYAN Bun:$RESET $YELLOW%s$RESET\n" "$(bun --version)" - printf " $CYAN Go:$RESET $YELLOW%s$RESET\n" "$(go version)" - printf " $CYAN Bazel:$RESET $BLUE%s$RESET\n\n" "$(bazel --version)" + extraShellHook = '' + export USE_BAZEL_VERSION="''${USE_BAZEL_VERSION:-9.0.0}" + export BUN_INSTALL="''${BUN_INSTALL:-$HOME/.bun}" + export PATH="$BUN_INSTALL/bin:$PATH" ''; - buildInputs = enabledPackages; }; + in + { + default = env.shell; } ); + + checks = forAllSystems ( + system: + let + env = devshell-lib.lib.mkDevShell { inherit system; }; + in + { + inherit (env) pre-commit-check; + } + ); + + formatter = forAllSystems (system: (devshell-lib.lib.mkDevShell { inherit system; }).formatter); + + # Optional: release command (`release`) + # + # The release script always updates VERSION first, then: + # 1) runs release steps in order (file writes and scripts) + # 2) runs postVersion hook + # 3) formats, stages, commits, tags, and pushes + # + # Runtime env vars available in release.run/postVersion: + # BASE_VERSION, CHANNEL, PRERELEASE_NUM, FULL_VERSION, FULL_TAG + # + packages = forAllSystems (system: { + release = devshell-lib.lib.mkRelease { + inherit system; + + release = [ ]; + + postVersion = '' + echo "Released $FULL_TAG" + ''; + }; + }); + }; + }