update devenv
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
d16fa1c3e3
commit
185a4a7efb
5 changed files with 172 additions and 55 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -1,3 +1,4 @@
|
|||
.devenv
|
||||
apps/**/protonvpn-wg-secret.yaml
|
||||
apps/**/*-secret.yaml
|
||||
apps/**/*-secrets.yaml
|
||||
|
|
|
|||
73
Taskfile.yaml
Normal file
73
Taskfile.yaml
Normal file
|
|
@ -0,0 +1,73 @@
|
|||
version: '3'
|
||||
|
||||
vars:
|
||||
SEALED_SECRETS_NS: sealed-secrets
|
||||
SEALED_SECRETS_NAME: sealed-secrets
|
||||
|
||||
tasks:
|
||||
default:
|
||||
desc: Run all checks (lint, validate, secrets scan)
|
||||
cmds:
|
||||
- task: lint
|
||||
- task: validate
|
||||
- task: secrets
|
||||
|
||||
lint:
|
||||
desc: Lint YAML files and shell scripts
|
||||
cmds:
|
||||
- task: lint:yaml
|
||||
- task: lint:shell
|
||||
|
||||
lint:yaml:
|
||||
desc: Lint YAML files with yamllint
|
||||
cmd: yamllint .
|
||||
|
||||
lint:shell:
|
||||
desc: Lint shell scripts with shellcheck
|
||||
cmd: |
|
||||
files=$(git ls-files '*.sh')
|
||||
if [ -z "$files" ]; then
|
||||
echo "No shell scripts to check."
|
||||
else
|
||||
echo "$files" | xargs shellcheck
|
||||
fi
|
||||
|
||||
fmt:
|
||||
desc: Format all YAML files in-place with yamlfmt
|
||||
cmd: yamlfmt .
|
||||
|
||||
validate:
|
||||
desc: Validate Kubernetes manifests with kubeconform
|
||||
cmd: |
|
||||
git ls-files '*.yaml' '*.yml' | xargs kubeconform \
|
||||
-strict \
|
||||
-summary \
|
||||
-ignore-missing-schemas \
|
||||
-schema-location '{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \
|
||||
-schema-location 'https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \
|
||||
-schema-location default
|
||||
|
||||
secrets:
|
||||
desc: Scan for leaked secrets with gitleaks
|
||||
cmd: gitleaks detect --no-git -v --redact
|
||||
|
||||
seal:
|
||||
desc: "Seal a Kubernetes secret (usage: task seal INPUT=secret.yaml OUTPUT=secret-sealed.yaml)"
|
||||
requires:
|
||||
vars: [INPUT, OUTPUT]
|
||||
cmd: |
|
||||
kubeseal \
|
||||
--controller-namespace {{.SEALED_SECRETS_NS}} \
|
||||
--controller-name {{.SEALED_SECRETS_NAME}} \
|
||||
-f {{.INPUT}} \
|
||||
-w {{.OUTPUT}}
|
||||
|
||||
bootstrap:
|
||||
desc: Apply the ArgoCD root app-of-apps to the cluster
|
||||
cmd: kubectl apply -f bootstrap/root-app-of-apps.yaml
|
||||
|
||||
diff:
|
||||
desc: "Diff a manifest against the live cluster (usage: task diff FILE=path/to/manifest.yaml)"
|
||||
requires:
|
||||
vars: [FILE]
|
||||
cmd: kubectl diff -f {{.FILE}}
|
||||
72
devenv.lock
72
devenv.lock
|
|
@ -3,10 +3,11 @@
|
|||
"devenv": {
|
||||
"locked": {
|
||||
"dir": "src/modules",
|
||||
"lastModified": 1750529628,
|
||||
"lastModified": 1782492839,
|
||||
"narHash": "sha256-j9wrcB4al5QhMelEghJ0Qs+RQPT+wyCcI4070NEgPLQ=",
|
||||
"owner": "cachix",
|
||||
"repo": "devenv",
|
||||
"rev": "cee0466541d357356b8c1ee0a61f3e0b94c7a54e",
|
||||
"rev": "3d39d0817d62069f7b18821c34a617b5141cb278",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -19,14 +20,15 @@
|
|||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1747046372,
|
||||
"owner": "edolstra",
|
||||
"lastModified": 1767039857,
|
||||
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
|
||||
"owner": "NixOS",
|
||||
"repo": "flake-compat",
|
||||
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
|
||||
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"owner": "NixOS",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
@ -35,15 +37,14 @@
|
|||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1749636823,
|
||||
"lastModified": 1781733627,
|
||||
"narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=",
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"rev": "623c56286de5a3193aa38891a6991b28f9bab056",
|
||||
"rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -61,6 +62,7 @@
|
|||
},
|
||||
"locked": {
|
||||
"lastModified": 1709087332,
|
||||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||
|
|
@ -74,10 +76,47 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1750441195,
|
||||
"lastModified": 1770073757,
|
||||
"narHash": "sha256-Vy+G+F+3E/Tl+GMNgiHl9Pah2DgShmIUBJXmbiQPHbI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "47472570b1e607482890801aeaf29bfb749884f6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1781607440,
|
||||
"narHash": "sha256-rxO+uc/KFbSJp+pgyXRuAX6QlG9hJdnt0BXpEQRXY+U=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3e41b24abd260e8f71dbe2f5737d24122f972158",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"inputs": {
|
||||
"nixpkgs-src": "nixpkgs-src"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1782132010,
|
||||
"narHash": "sha256-ZnAVHdVrotp80iIMm5CSR1fdxPlw7Uwmwxb+O/wsgZ8=",
|
||||
"owner": "cachix",
|
||||
"repo": "devenv-nixpkgs",
|
||||
"rev": "0ceffe312871b443929ff3006960d29b120dc627",
|
||||
"rev": "12866ae2dddbc0ab8b329915f8072bb9c75bde89",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -91,13 +130,10 @@
|
|||
"inputs": {
|
||||
"devenv": "devenv",
|
||||
"git-hooks": "git-hooks",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"pre-commit-hooks": [
|
||||
"git-hooks"
|
||||
]
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
||||
}
|
||||
78
devenv.nix
78
devenv.nix
|
|
@ -20,6 +20,7 @@
|
|||
shellcheck
|
||||
gitleaks
|
||||
yamlfmt
|
||||
go-task
|
||||
];
|
||||
|
||||
# https://devenv.sh/languages/
|
||||
|
|
@ -54,43 +55,46 @@
|
|||
'';
|
||||
|
||||
# https://devenv.sh/pre-commit-hooks/
|
||||
# git-hooks.hooks = {
|
||||
# check-yaml.enable = true;
|
||||
# end-of-file-fixer.enable = true;
|
||||
# trim-trailing-whitespace.enable = true;
|
||||
# yamlfmt = {
|
||||
# enable = true;
|
||||
# entry = "yamlfmt";
|
||||
# args = ["-in-place"];
|
||||
# files = "\\.ya?ml$";
|
||||
# language = "system";
|
||||
# };
|
||||
# yamllint.enable = true;
|
||||
# shellcheck.enable = true;
|
||||
#
|
||||
# kubeconform = {
|
||||
# enable = true;
|
||||
# entry = "kubeconform";
|
||||
# args = [
|
||||
# "-strict"
|
||||
# "-summary"
|
||||
# "-ignore-missing-schemas"
|
||||
# "-schema-location"
|
||||
# "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json"
|
||||
# "-schema-location"
|
||||
# "default"
|
||||
# ];
|
||||
# files = "\\.ya?ml$";
|
||||
# };
|
||||
#
|
||||
# gitleaks = {
|
||||
# enable = true;
|
||||
# entry = "gitleaks detect --no-git -v --redact";
|
||||
# language = "system";
|
||||
# pass_filenames = false;
|
||||
# };
|
||||
# };
|
||||
# pre-commit.hooks.shellcheck.enable = true;
|
||||
git-hooks.hooks = {
|
||||
check-yaml.enable = true;
|
||||
end-of-file-fixer.enable = true;
|
||||
trim-trailing-whitespace.enable = true;
|
||||
|
||||
yamlfmt = {
|
||||
enable = true;
|
||||
entry = "yamlfmt";
|
||||
args = ["-in-place"];
|
||||
files = "\\.ya?ml$";
|
||||
language = "system";
|
||||
};
|
||||
|
||||
yamllint.enable = true;
|
||||
shellcheck.enable = true;
|
||||
|
||||
kubeconform = {
|
||||
enable = true;
|
||||
entry = "kubeconform";
|
||||
args = [
|
||||
"-strict"
|
||||
"-summary"
|
||||
"-ignore-missing-schemas"
|
||||
"-schema-location"
|
||||
"https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json"
|
||||
"-schema-location"
|
||||
"default"
|
||||
];
|
||||
files = "\\.ya?ml$";
|
||||
language = "system";
|
||||
pass_filenames = true;
|
||||
};
|
||||
|
||||
gitleaks = {
|
||||
enable = true;
|
||||
entry = "gitleaks detect --no-git -v --redact";
|
||||
language = "system";
|
||||
pass_filenames = false;
|
||||
};
|
||||
};
|
||||
|
||||
# See full reference at https://devenv.sh/reference/options/
|
||||
}
|
||||
|
|
|
|||
3
devenv.yaml
Normal file
3
devenv.yaml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
inputs:
|
||||
git-hooks:
|
||||
url: github:cachix/git-hooks.nix
|
||||
Loading…
Add table
Add a link
Reference in a new issue