diff --git a/checks/default.nix b/checks/default.nix new file mode 100644 index 0000000..80279ba --- /dev/null +++ b/checks/default.nix @@ -0,0 +1,52 @@ +{ + self, + nixpkgs, + deploy-rs, + system, + ... +}: +let + pkgs = nixpkgs.legacyPackages.${system}; + + runNuCheck = + { + name, + packages, + check, + }: + pkgs.stdenvNoCC.mkDerivation { + inherit name; + + src = nixpkgs.lib.cleanSourceWith { + src = self; + filter = nixpkgs.lib.cleanSourceFilter; + }; + + dontPatch = true; + dontConfigure = true; + dontBuild = true; + dontInstall = true; + dontFixup = true; + doCheck = true; + + checkInputs = nixpkgs.lib.singleton pkgs.nushell ++ packages; + + checkPhase = '' + nu ${check} + ''; + }; +in +nixpkgs.lib.recursiveUpdate { + lints = runNuCheck { + name = "lints"; + + packages = [ + pkgs.deadnix + pkgs.nixfmt-rfc-style + pkgs.shellcheck + pkgs.statix + ]; + + check = ./lints.nu; + }; +} (deploy-rs.lib.${system}.deployChecks self.deploy) diff --git a/checks/lints.nu b/checks/lints.nu new file mode 100644 index 0000000..ffc2047 --- /dev/null +++ b/checks/lints.nu @@ -0,0 +1,39 @@ +#!/usr/bin/env nu + +let shell_files = ls **/*.sh | get name +let nix_files = ls **/*.nix | where name !~ "hardware-configuration.nix|_sources" | get name + +let linters = [ + ([shellcheck] ++ $shell_files) + ([nixfmt --check --strict] ++ $nix_files) + ([deadnix --fail] ++ $nix_files) + ([statix check] ++ $nix_files) +] + +mkdir $env.out + +def run-linter [linterArgs: list<string>] { + print $'Running ($linterArgs.0)...' + + let exit_code = try { + ^$linterArgs.0 ...($linterArgs | skip 1) + $env.LAST_EXIT_CODE + } catch {|e| $e.exit_code} + + [$linterArgs.0, $exit_code] +} + +let results = $linters | each {|linter| run-linter $linter} + +print 'Linter results:' + +let success = $results | each {|result| + match $result.1 { + 0 => {print $'(ansi green)($result.0)(ansi reset)'} + _ => {print $'(ansi red)($result.0)(ansi reset)'} + } + + $result.1 +} | math sum + +exit $success diff --git a/configuration/default.nix b/configuration/default.nix index f874733..aebea7a 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -1,7 +1,5 @@ { config, - pkgs, - lib, modulesPath, flake-inputs, ... @@ -32,13 +30,7 @@ ./sops.nix ]; - nixpkgs.overlays = [ - (final: prev: { - local = import ../pkgs { - pkgs = prev; - }; - }) - ]; + nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ]; nix = { extraOptions = '' diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index db563fe..23969f0 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -15,9 +15,7 @@ systemd.network.networks."10-eth0" = { matchConfig.Name = "eth0"; - gateway = [ - "192.168.9.1" - ]; + gateway = [ "192.168.9.1" ]; networkConfig = { Address = "192.168.9.2/24"; }; diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 81e3554..baa61e3 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -57,7 +57,7 @@ in ''; type = types.attrsOf ( types.submodule ( - { config, name, ... }: + { name, ... }: { options = { user = lib.mkOption { @@ -246,7 +246,7 @@ in }; } // lib.mapAttrs' ( - name: backup: + name: _: lib.nameValuePair "backup-${name}" { wantedBy = [ "timers.target" ]; timerConfig = { diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix index c1f16dc..6846d99 100644 --- a/configuration/services/conduit/matrix-hookshot.nix +++ b/configuration/services/conduit/matrix-hookshot.nix @@ -74,9 +74,7 @@ in services.matrix-hookshot = { enable = true; - serviceDependencies = [ - "conduit.service" - ]; + serviceDependencies = [ "conduit.service" ]; registrationFile = "/run/matrix-hookshot/registration.yaml"; @@ -126,15 +124,11 @@ in listeners = [ { port = 9000; - resources = [ - "webhooks" - ]; + resources = [ "webhooks" ]; } { port = 9001; - resources = [ - "metrics" - ]; + resources = [ "metrics" ]; } ]; diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix index 6e0f367..b736047 100644 --- a/configuration/services/crowdsec.nix +++ b/configuration/services/crowdsec.nix @@ -8,9 +8,7 @@ security.crowdsec = { enable = true; - parserWhitelist = [ - "10.45.249.2" - ]; + parserWhitelist = [ "10.45.249.2" ]; extraGroups = [ "systemd-journal" @@ -21,25 +19,19 @@ { source = "journalctl"; labels.type = "syslog"; - journalctl_filter = [ - "SYSLOG_IDENTIFIER=Nextcloud" - ]; + journalctl_filter = [ "SYSLOG_IDENTIFIER=Nextcloud" ]; } { source = "journalctl"; labels.type = "syslog"; - journalctl_filter = [ - "SYSLOG_IDENTIFIER=sshd-session" - ]; + journalctl_filter = [ "SYSLOG_IDENTIFIER=sshd-session" ]; } { labels.type = "nginx"; filenames = - [ - "/var/log/nginx/*.log" - ] + [ "/var/log/nginx/*.log" ] ++ lib.mapAttrsToList ( vHost: _: "/var/log/nginx/${vHost}/access.log" ) config.services.nginx.virtualHosts; diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix index 80a3480..52c2a46 100644 --- a/configuration/services/metrics/exporters.nix +++ b/configuration/services/metrics/exporters.nix @@ -74,7 +74,7 @@ in listenAddress = "127.0.0.1"; group = "nginx"; - settings.namespaces = lib.mapAttrsToList (name: virtualHost: { + settings.namespaces = lib.mapAttrsToList (name: _: { inherit name; metrics_override.prefix = "nginxlog"; namespace_label = "vhost"; diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix index d69ecfb..a0c35b6 100644 --- a/configuration/services/metrics/options.nix +++ b/configuration/services/metrics/options.nix @@ -38,7 +38,7 @@ in services.victoriametrics.scrapeConfigs = mkOption { type = types.attrsOf ( types.submodule ( - { name, self, ... }: + { name, ... }: { options = { job_name = mkOption { @@ -212,7 +212,7 @@ in services.victoriametrics.scrapeConfigs = let - allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) ( + allExporters = lib.mapAttrs (_: exporter: { inherit (exporter) listenAddress port; }) ( (lib.filterAttrs ( name: exporter: # A bunch of deprecated exporters that need to be ignored diff --git a/configuration/services/metrics/victorialogs.nix b/configuration/services/metrics/victorialogs.nix index ae47c39..413659a 100644 --- a/configuration/services/metrics/victorialogs.nix +++ b/configuration/services/metrics/victorialogs.nix @@ -1,8 +1,4 @@ -{ - config, - lib, - ... -}: +{ config, lib, ... }: let cfg = config.services.victorialogs; in diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index b5cb691..5790cdf 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -15,12 +15,12 @@ in package = nextcloud; phpPackage = lib.mkForce ( pkgs.php.override { - packageOverrides = final: prev: { + packageOverrides = _: prev: { extensions = prev.extensions // { - pgsql = prev.extensions.pgsql.overrideAttrs (old: { + pgsql = prev.extensions.pgsql.overrideAttrs (_: { configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ]; }); - pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (old: { + pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (_: { configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ]; }); }; diff --git a/flake.nix b/flake.nix index bdb60ed..6747c24 100644 --- a/flake.nix +++ b/flake.nix @@ -96,7 +96,7 @@ ######### # Tests # ######### - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks.${system} = import ./checks (inputs // { inherit system; }); ########################### # Garbage collection root # diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix index c0003a5..ac93c4a 100644 --- a/modules/crowdsec/default.nix +++ b/modules/crowdsec/default.nix @@ -267,9 +267,7 @@ in }; }; - systemd.packages = [ - cfg.package - ]; + systemd.packages = [ cfg.package ]; environment = { systemPackages = [ diff --git a/modules/crowdsec/remediations/cs-firewall-bouncer.nix b/modules/crowdsec/remediations/cs-firewall-bouncer.nix index aa70552..2769432 100644 --- a/modules/crowdsec/remediations/cs-firewall-bouncer.nix +++ b/modules/crowdsec/remediations/cs-firewall-bouncer.nix @@ -31,9 +31,7 @@ in security.crowdsec.remediationComponents.firewallBouncer.settings = { mode = lib.mkDefault "${if config.networking.nftables.enable then "nftables" else "iptables"}"; log_mode = "stdout"; - iptables_chains = [ - "nixos-fw" - ]; + iptables_chains = [ "nixos-fw" ]; # Don't let users easily override this; unfortunately we need to # set up this key through substitution at runtime. @@ -78,9 +76,7 @@ in requiredBy = [ "crowdsec.service" ]; path = - lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [ - pkgs.ipset - ] + lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [ pkgs.ipset ] ++ lib.optional (cfg.settings.mode == "iptables") pkgs.iptables ++ lib.optional (cfg.settings.mode == "nftables") pkgs.nftables; }; diff --git a/modules/crowdsec/remediations/default.nix b/modules/crowdsec/remediations/default.nix index 7df6ade..c3c0790 100644 --- a/modules/crowdsec/remediations/default.nix +++ b/modules/crowdsec/remediations/default.nix @@ -1,5 +1 @@ -{ - imports = [ - ./cs-firewall-bouncer.nix - ]; -} +{ imports = [ ./cs-firewall-bouncer.nix ]; } diff --git a/pkgs/crowdsec/hub.nix b/pkgs/crowdsec/hub.nix index d057ca8..1b8c9b3 100644 --- a/pkgs/crowdsec/hub.nix +++ b/pkgs/crowdsec/hub.nix @@ -1,4 +1 @@ -{ - sources, -}: -sources.crowdsec-hub.src +{ sources }: sources.crowdsec-hub.src