feat(checks): Fully rework lints

This is currently copied from my dotfiles. Should probably consider
using flake-parts to DRY this out.

checks/default.nix

@@ -1,61 +1,45 @@
-{
+{ flake-inputs }:
-  self,
-  nixpkgs,
-  deploy-rs,
-  system,
-  ...
-}:
 let
-  pkgs = nixpkgs.legacyPackages.${system};
+  inherit (flake-inputs.nixpkgs) lib;
-
+  pkgs = flake-inputs.nixpkgs.legacyPackages.x86_64-linux;
-  statix' = pkgs.statix.overrideAttrs (old: {
+  checkLib = pkgs.callPackage ./lib.nix { };
-    patches = old.patches ++ [
+in
-      (pkgs.fetchpatch {
+{
-        url = "https://github.com/oppiliappan/statix/commit/925dec39bb705acbbe77178b4d658fe1b752abbb.patch";
+  x86_64-linux = lib.mergeAttrsList [
-        hash = "sha256-0wacO6wuYJ4ufN9PGucRVJucFdFFNF+NoHYIrLXsCWs=";
-      })
-    ];
-  });
-
-  runNuCheck =
     {
-      name,
+      nix = checkLib.mkLint {
-      packages,
+        name = "nix-lints";
-      check,
+        fileset = lib.fileset.fileFilter (file: file.hasExt "nix") ../.;
-    }:
-    pkgs.stdenvNoCC.mkDerivation {
-      inherit name;
 
-      src = nixpkgs.lib.cleanSourceWith {
+        checkInputs = lib.attrValues {
-        src = self;
+          inherit (pkgs) deadnix nixfmt-rfc-style;
-        filter = nixpkgs.lib.cleanSourceFilter;
+
+          statix = pkgs.statix.overrideAttrs (old: {
+            patches = old.patches ++ [
+              (pkgs.fetchpatch {
+                url = "https://github.com/oppiliappan/statix/commit/925dec39bb705acbbe77178b4d658fe1b752abbb.patch";
+                hash = "sha256-0wacO6wuYJ4ufN9PGucRVJucFdFFNF+NoHYIrLXsCWs=";
+              })
+            ];
+          });
+        };
+
+        script = ''
+          statix check **/*.nix
+          deadnix --fail **/*.nix
+          nixfmt --check --strict **/*.nix
+        '';
       };
 
-      dontPatch = true;
+      lockfile = checkLib.mkLint {
-      dontConfigure = true;
+        name = "nix-lockfile";
-      dontBuild = true;
+        fileset = ../flake.lock;
-      dontInstall = true;
+        checkInputs = lib.attrValues { inherit (flake-inputs.flint.packages.x86_64-linux) flint; };
-      dontFixup = true;
-      doCheck = true;
 
-      checkInputs = nixpkgs.lib.singleton pkgs.nushell ++ packages;
+        script = ''
-
+          flint --fail-if-multiple-versions
-      checkPhase = ''
+        '';
-        nu ${check}
+      };
-      '';
+    }
-    };
+  ];
-in
+}
-nixpkgs.lib.recursiveUpdate {
-  lints = runNuCheck {
-    name = "lints";
-
-    packages = [
-      pkgs.deadnix
-      pkgs.nixfmt-rfc-style
-      pkgs.shellcheck
-      statix'
-    ];
-
-    check = ./lints.nu;
-  };
-} (deploy-rs.lib.${system}.deployChecks self.deploy)

checks/lib.nix

@@ -0,0 +1,35 @@
+{ pkgs, lib, ... }:
+{
+  mkLint =
+    {
+      name,
+      fileset,
+      checkInputs ? [ ],
+      script,
+    }:
+    pkgs.stdenvNoCC.mkDerivation {
+      inherit name;
+
+      src = lib.fileset.toSource {
+        root = ../.;
+        fileset = lib.fileset.difference fileset (
+          lib.fileset.fileFilter (
+            file: file.type != "regular" || file.name == "hardware-configuration.nix"
+          ) ../.
+        );
+      };
+
+      checkInputs = [ pkgs.nushell ] ++ checkInputs;
+
+      checkPhase = ''
+        nu -c '${script}' | tee $out
+      '';
+
+      dontPatch = true;
+      dontConfigure = true;
+      dontBuild = true;
+      dontInstall = true;
+      dontFixup = true;
+      doCheck = true;
+    };
+}

flake.nix

@@ -3,19 +3,44 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05-small";
+
+    ## Nix/OS utilities
+
     disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    deploy-rs.url = "github:serokell/deploy-rs";
+
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    tlaternet-webserver = {
+
-      url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
+    ## Programs
+
+    flint = {
+      url = "github:NotAShelf/flint";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    ## Services
+
+    tlaternet-webserver = {
+      url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        dream2nix.inputs = {
+          nixpkgs.follows = "nixpkgs";
+          purescript-overlay.inputs.flake-compat.follows = "deploy-rs/flake-compat";
+        };
+      };
+    };
+
     foundryvtt = {
       url = "github:reckenrode/nix-foundryvtt";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -23,7 +48,20 @@
 
     sonnenshift = {
       url = "git+ssh://git@github.com/sonnenshift/battery-manager";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+
+        crate2nix.inputs = {
+          nixpkgs.follows = "nixpkgs";
+          flake-compat.follows = "deploy-rs/flake-compat";
+          cachix.inputs.nixpkgs.follows = "nixpkgs";
+          pre-commit-hooks.inputs.gitignore.follows = "sonnenshift/crate2nix/cachix/git-hooks/gitignore";
+
+          # Yes, they do this insanity:
+          # https://github.com/nix-community/crate2nix/issues/371
+          crate2nix_stable.follows = "sonnenshift/crate2nix";
+        };
+      };
     };
   };
 
@@ -90,7 +128,7 @@
       #########
       # Tests #
       #########
-      checks.${system} = import ./checks (inputs // { inherit system; });
+      checks = import ./checks { flake-inputs = inputs; };
 
       ###########################
       # Garbage collection root #