From f0814d1d4a7baf789b800f3183e8cbbb7c753b36 Mon Sep 17 00:00:00 2001 From: Maxwell Brown Date: Sat, 26 Oct 2024 10:16:01 -0400 Subject: [PATCH] update workflows --- .github/workflows/check.yml | 20 +++ .github/workflows/pr.yml | 31 ---- .github/workflows/terraform.yml | 130 +++++++++++++++++ .github/workflows/tofu.yml | 133 ----------------- .gitignore | 3 + .pre-commit-config.yaml | 33 ----- flake.lock | 250 ++++++++------------------------ flake.nix | 165 ++++++++------------- shell.nix | 54 ------- 9 files changed, 276 insertions(+), 543 deletions(-) create mode 100644 .github/workflows/check.yml delete mode 100644 .github/workflows/pr.yml create mode 100644 .github/workflows/terraform.yml delete mode 100644 .github/workflows/tofu.yml delete mode 100644 .pre-commit-config.yaml delete mode 100644 shell.nix diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 000000000..99a105daf --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,20 @@ +name: Check + +on: + workflow_dispatch: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - name: Check + run: nix flake check diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml deleted file mode 100644 index 41f45336c..000000000 --- a/.github/workflows/pr.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -name: Pull Request CI - -on: - pull_request: - branches: - - main - - # Allows for running this workflow manually from the GitHub Actions UI - workflow_dispatch: - -jobs: - pre-commit: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - uses: actions/setup-python@v3 - - uses: pre-commit/action@v3.0.0 - - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - uses: cachix/install-nix-action@v19 - - run: nix fmt diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml new file mode 100644 index 000000000..e72dc16c4 --- /dev/null +++ b/.github/workflows/terraform.yml @@ -0,0 +1,130 @@ +--- +name: OpenTofu Enforcement + +on: + push: + branches: [main] + paths: [terraform/**] + + pull_request: + branches: [main] + paths: [terraform/**] + +jobs: + opentofu_enforcement: + runs-on: ubuntu-latest + + strategy: + matrix: + opentofu_module: [aws, github] + + permissions: + contents: read + id-token: write + pull-requests: write + + steps: + - name: Enforce permission requirement + uses: prince-chrismc/check-actor-permissions-action@v3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + permission: write + + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + - name: Enable Magic Nix Cache + uses: DeterminateSystems/magic-nix-cache-action@main + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-region: ${{ secrets.DEFAULT_AWS_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction + + - name: OpenTofu Init + id: init + working-directory: terraform/${{ matrix.opentofu_module }} + run: nix develop -c tofu init + + - name: OpenTofu Format + id: fmt + run: nix develop -c tofu fmt -check + + - name: OpenTofu Validate + id: validate + working-directory: terraform/${{ matrix.opentofu_module }} + run: nix develop -c tofu validate + + - name: OpenTofu Plan + id: plan + if: github.event_name == 'pull_request' + working-directory: terraform/${{ matrix.opentofu_module }} + run: | + # Capture plan output + plan=$(nix develop -c tofu plan -no-color -input=false) + # Echo the plan so it is still visible in CI + echo "${plan}" + # Handle appending multi-line strings to GitHub Outputs + echo "plan<> $GITHUB_OUTPUT + env: + SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} + continue-on-error: true + + - name: Find Comment + if: github.event_name == 'pull_request' + id: find-comment + uses: peter-evans/find-comment@v3 + env: + TERRAFORM_MODULE: ${{ matrix.opentofu_module }} + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: + + - name: Create Comment + if: github.event_name == 'pull_request' + id: comment + uses: peter-evans/create-or-update-comment@v4 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PLAN: "${{ steps.plan.outputs.plan }}" + TERRAFORM_MODULE: ${{ matrix.opentofu_module }} + with: + comment-id: ${{ steps.find-comment.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + edit-mode: replace + body: | + + + ## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }}) + #### OpenTofu Format and Style: 🖌`${{ steps.fmt.outcome }}` + #### OpenTofu Initialization: ⚙️`${{ steps.init.outcome }}` + #### OpenTofu Validation: 🤖`${{ steps.validate.outcome }}` + #### OpenTofu Plan: 📖`${{ steps.plan.outcome }}` + +
Show Plan + + ``` + ${{ env.PLAN }} + ``` + +
+ + *Pusher: @${{ github.actor }}, Action: `${{ github.event_name }}`, Working Directory: `${{ env.TERRAFORM_MODULE }}`, Workflow: `${{ github.workflow }}`* + + - name: OpenTofu Plan Status + if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure' + run: exit 1 + + - name: OpenTofu Apply + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + working-directory: terraform/${{ matrix.opentofu_module }} + run: nix develop -c tofu apply -auto-approve -input=false + env: + SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} diff --git a/.github/workflows/tofu.yml b/.github/workflows/tofu.yml deleted file mode 100644 index df6ae8b96..000000000 --- a/.github/workflows/tofu.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -name: OpenTofu Enforcement - -on: - push: - branches: - - main - paths: - - terraform/** - - pull_request: - branches: - - main - paths: - - terraform/** - - # Allows for running this workflow manually from the GitHub Actions UI - workflow_dispatch: - -permissions: - contents: read - id-token: write - pull-requests: write - -jobs: - opentofu_enforcement: - runs-on: ubuntu-latest - - strategy: - matrix: - opentofu_module: [aws, github] - - defaults: - run: - shell: bash - working-directory: terraform/${{ matrix.opentofu_module }} - - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - aws-region: ${{ secrets.DEFAULT_AWS_REGION }} - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction - - - name: Setup OpenTofu - uses: opentofu/setup-opentofu@v1 - with: - tofu_version: 1.6.0-alpha1 - - - name: OpenTofu Init - id: init - run: tofu init - - - name: OpenTofu Format - id: fmt - run: tofu fmt -check - - - name: OpenTofu Validate - id: validate - run: tofu validate - - - name: OpenTofu Plan - id: plan - if: github.event_name == 'pull_request' - run: tofu plan -no-color -input=false - env: - SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} - continue-on-error: true - - - uses: actions/github-script@v6 - if: github.event_name == 'pull_request' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PLAN: "tofu\n${{ steps.plan.outputs.stdout }}" - TERRAFORM_MODULE: ${{ matrix.opentofu_module }} - with: - script: | - const { data: comments } = await github.rest.issues.listComments({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - }) - - const botComment = comments.find(comment => - comment.user.type === 'Bot' && - comment.body.includes('OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }})') - ) - - const output = `## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }}) - #### OpenTofu Format and Style: 🖌\`${{ steps.fmt.outcome }}\` - #### OpenTofu Initialization: ⚙️\`${{ steps.init.outcome }}\` - #### OpenTofu Validation: 🤖\`${{ steps.validate.outcome }}\` - #### OpenTofu Plan: 📖\`${{ steps.plan.outcome }}\` - -
Show Plan - - \`\`\`\n - ${process.env.PLAN} - \`\`\` - -
- - *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.TERRAFORM_MODULE }}\`, Workflow: \`${{ github.workflow }}\`*`; - - if (botComment) { - github.rest.issues.updateComment({ - owner: context.repo.owner, - repo: context.repo.repo, - comment_id: botComment.id, - body: output - }) - } else { - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - } - - - name: OpenTofu Plan Status - if: steps.plan.outcome == 'failure' - run: exit 1 - - - name: OpenTofu Apply - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - env: - SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} - run: tofu apply -auto-approve -input=false diff --git a/.gitignore b/.gitignore index c4e7f6cbe..b6effbef0 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,6 @@ result .terraform terraform.tfstate terraform.tfstate.* + +# Pre-Commit (Auto-Generated by Nix) +.pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 6f1f1f2d7..000000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -repos: - - repo: https://github.com/pre-commit/pre-commit-hooks.git - rev: v4.4.0 - hooks: - # - id: no-commit-to-branch - - id: check-merge-conflict - - id: check-symlinks - - id: check-json - - id: check-yaml - args: [--allow-multiple-documents] - - id: check-toml - - id: end-of-file-fixer - - id: mixed-line-ending - - id: trailing-whitespace - - - repo: https://github.com/tofuutils/pre-commit-opentofu - rev: v2.1.0 - hooks: - - id: tofu_fmt - - - repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt.git - rev: 0.2.3 - hooks: - - id: yamlfmt - args: - - --mapping - - '2' - - --sequence - - '4' - - --offset - - '2' - - --explicit_start diff --git a/flake.lock b/flake.lock index 6e2dd38a3..4ac80d140 100644 --- a/flake.lock +++ b/flake.lock @@ -1,43 +1,5 @@ { "nodes": { - "base16-schemes": { - "flake": false, - "locked": { - "lastModified": 1689473676, - "narHash": "sha256-L0RhUr9+W5EPWBpLcmkKpUeCEWRs/kLzVMF3Vao2ZU0=", - "owner": "tinted-theming", - "repo": "base16-schemes", - "rev": "d95123ca6377cd849cfdce92c0a24406b0c6a789", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-schemes", - "type": "github" - } - }, - "deploy-rs": { - "inputs": { - "flake-compat": "flake-compat", - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils" - }, - "locked": { - "lastModified": 1704875591, - "narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=", - "owner": "serokell", - "repo": "deploy-rs", - "rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b", - "type": "github" - }, - "original": { - "owner": "serokell", - "repo": "deploy-rs", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { @@ -54,221 +16,131 @@ "type": "github" } }, - "home-manager": { + "flake-parts": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils_2" + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1685325875, - "narHash": "sha256-tevlLIMPeVNNYPd9UgjHApAUoFAnw9iohqUyj+LPp88=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "b372d7f8d5518aaba8a4058a453957460481afbc", + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "type": "github" }, "original": { - "owner": "nix-community", - "ref": "release-22.11", - "repo": "home-manager", + "owner": "hercules-ci", + "repo": "flake-parts", "type": "github" } }, - "nix-colors": { + "git-hooks": { "inputs": { - "base16-schemes": "base16-schemes", - "nixpkgs-lib": "nixpkgs-lib" + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1695388192, - "narHash": "sha256-2jelpE7xK+4M7jZNyWL7QYOYegQLYBDQS5bvdo8XRUQ=", - "owner": "misterio77", - "repo": "nix-colors", - "rev": "37227f274b34a3b51649166deb94ce7fec2c6a4c", + "lastModified": 1729104314, + "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", "type": "github" }, "original": { - "owner": "misterio77", - "repo": "nix-colors", + "owner": "cachix", + "repo": "git-hooks.nix", "type": "github" } }, - "nixos-hardware": { + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1705312285, - "narHash": "sha256-rd+dY+v61Y8w3u9bukO/hB55Xl4wXv4/yC8rCGVnK5U=", - "owner": "NixOS", - "repo": "nixos-hardware", - "rev": "bee2202bec57e521e3bd8acd526884b9767d7fa0", + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixos-hardware", + "owner": "hercules-ci", + "repo": "gitignore.nix", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1705916986, - "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", - "owner": "nixos", + "lastModified": 1719082008, + "narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", + "rev": "9693852a2070b398ee123a329e68f0dab5526681", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-23.11", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1694911725, - "narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "819180647f428a3826bfc917a54449da1e532ce0", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1706014056, - "narHash": "sha256-Bz0FXHOv96uWY8fwXroUhvMq6OIXgBbvdOi6zAE+i4M=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a95d98f05a5da6cf66bef2584cf7a70b474d4518", - "type": "github" + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" }, "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1705033721, - "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-unstable": { + "nixpkgs_2": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", - "owner": "NixOS", + "lastModified": 1729850857, + "narHash": "sha256-WvLXzNNnnw+qpFOmgaM3JUlNEH+T4s22b5i2oyyCpXE=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "41dea55321e5a999b17033296ac05fe8a8b5a257", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", + "owner": "nixos", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "root": { "inputs": { - "deploy-rs": "deploy-rs", - "home-manager": "home-manager", - "nix-colors": "nix-colors", - "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1705805983, - "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "ae171b54e76ced88d506245249609f8c87305752", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_2": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" + "flake-parts": "flake-parts", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs_2" } } }, diff --git a/flake.nix b/flake.nix index 73f170d66..6f02b2073 100644 --- a/flake.nix +++ b/flake.nix @@ -1,109 +1,68 @@ { - inputs = { - nixpkgs = { - url = "github:nixos/nixpkgs/nixos-23.11"; - }; - - nixpkgs-master = { - url = "github:NixOS/nixpkgs/master"; - }; - - nixpkgs-unstable = { - url = "github:NixOS/nixpkgs/nixos-unstable"; - }; - - nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - deploy-rs = { - url = "github:serokell/deploy-rs"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - home-manager = { - url = "github:nix-community/home-manager/release-22.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nix-colors = { - url = "github:misterio77/nix-colors"; - }; + description = "The infrastructure-as-code for Effect"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; + flake-parts.url = "github:hercules-ci/flake-parts"; + git-hooks.url = "github:cachix/git-hooks.nix"; }; - outputs = inputs @ { - self, - nixpkgs, - nixpkgs-master, - nixpkgs-unstable, - nixos-hardware, - deploy-rs, - home-manager, - nix-colors, - sops-nix, - ... - }: let - supportedSystems = [ - "x86_64-darwin" - "x86_64-linux" - "aarch64-darwin" - "aarch64-linux" - ]; - - forAllSystems = nixpkgs.lib.genAttrs supportedSystems; - - pkgsFor = system: nixpkgs.legacyPackages.${system}; - unstablePkgsFor = system: nixpkgs-unstable.legacyPackages.${system}; - - inherit (self) outputs; - specialArgs = {inherit inputs outputs;}; - in { - homeManagerModules = import "${self}/nixos/modules/home-manager"; - - formatter = forAllSystems ( - system: let - pkgs = pkgsFor system; - in - pkgs.alejandra - ); - - devShells = forAllSystems (system: let - pkgs = unstablePkgsFor system; - in { - default = pkgs.callPackage "${self}/shell.nix" {inherit pkgs;}; - }); - - nixosConfigurations = { - # On actual machine: - # nixos-rebuild switch --flake .#devbox - # On other machine: - # nixos-rebuild --build-host user@host --target-host user@host --use-remote-sudo switch --flake .#devbox - # On other machine with dry activation: - # nixos-rebuild --build-host user@host --target-host user@host --use-remote-sudo dry-activate --flake .#devbox - devbox = nixpkgs.lib.nixosSystem { - inherit specialArgs; - modules = ["${self}/nixos/hosts/devbox"]; - }; - - k3s-host-01 = nixpkgs.lib.nixosSystem { - inherit specialArgs; - modules = ["${self}/nixos/hosts/k3s/host-01"]; - }; - - k3s-host-02 = nixpkgs.lib.nixosSystem { - inherit specialArgs; - modules = ["${self}/nixos/hosts/k3s/host-02"]; - }; - - k3s-host-03 = nixpkgs.lib.nixosSystem { - inherit specialArgs; - modules = ["${self}/nixos/hosts/k3s/host-03"]; - }; + outputs = + inputs@{ flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } { + systems = inputs.nixpkgs.lib.systems.flakeExposed; + + imports = [ + inputs.git-hooks.flakeModule + ]; + + perSystem = + { + config, + pkgs, + ... + }: + { + devShells.default = pkgs.mkShell { + inherit (config.pre-commit.devShell) nativeBuildInputs; + + buildInputs = with pkgs; [ + age + awscli2 + findutils + opentofu + sops + ssh-to-age + yq-go + ]; + + shellHook = '' + ${config.pre-commit.devShell.shellHook} + ''; + + # KUSTOMIZE_PLUGIN_HOME = pkgs.buildEnv { + # name = "kustomize-plugins"; + # paths = [ + # kustomize-sops + # ]; + # postBuild = '' + # mv $out/lib/* $out + # rm -r $out/lib + # ''; + # pathsToLink = [ "/lib" ]; + # }; + }; + + pre-commit = { + settings = { + hooks = { + # Terraform Hooks + terraform-format.enable = true; + # Miscellaneous Hooks + end-of-file-fixer.enable = true; + }; + }; + }; + }; }; - }; } diff --git a/shell.nix b/shell.nix deleted file mode 100644 index 0ca156377..000000000 --- a/shell.nix +++ /dev/null @@ -1,54 +0,0 @@ -let - flakeLock = builtins.fromJSON (builtins.readFile ./flake.lock); - nixpkgsLock = flakeLock.nodes.nixpkgs.locked; - lockedNixpkgs = - import - (fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/${nixpkgsLock.rev}.tar.gz"; - sha256 = nixpkgsLock.narHash; - }) - {}; -in - {pkgs ? lockedNixpkgs}: - with pkgs; - mkShell { - name = "nixos-shell"; - - # Enable experimental features without having to specify the argument - NIX_CONFIG = "extra-experimental-features = nix-command flakes repl-flake"; - - buildInputs = [ - age - alejandra - awscli2 - findutils - git - home-manager - kubectl - kubernetes-helm - opentofu - nix - nil - nixos-rebuild - pre-commit - python310Packages.pre-commit-hooks - sops - ssh-to-age - ]; - - KUSTOMIZE_PLUGIN_HOME = pkgs.buildEnv { - name = "kustomize-plugins"; - paths = [ - kustomize-sops - ]; - postBuild = '' - mv $out/lib/* $out - rm -r $out/lib - ''; - pathsToLink = ["/lib"]; - }; - - shellHook = '' - pre-commit install - ''; - }