From 185a4a7efbc7381c0c9c9a43eda2d2fa912b8fd9 Mon Sep 17 00:00:00 2001 From: gwg313 Date: Fri, 26 Jun 2026 20:50:44 -0400 Subject: [PATCH] update devenv Signed-off-by: gwg313 --- .gitignore | 1 + Taskfile.yaml | 73 +++++++++++++++++++++++++++++++++++++++++++++++ devenv.lock | 72 +++++++++++++++++++++++++++++++++++------------ devenv.nix | 78 +++++++++++++++++++++++++++------------------------ devenv.yaml | 3 ++ 5 files changed, 172 insertions(+), 55 deletions(-) create mode 100644 Taskfile.yaml create mode 100644 devenv.yaml diff --git a/.gitignore b/.gitignore index b3f740d..6f5223f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .devenv apps/**/protonvpn-wg-secret.yaml apps/**/*-secret.yaml +apps/**/*-secrets.yaml diff --git a/Taskfile.yaml b/Taskfile.yaml new file mode 100644 index 0000000..1936abb --- /dev/null +++ b/Taskfile.yaml @@ -0,0 +1,73 @@ +version: '3' + +vars: + SEALED_SECRETS_NS: sealed-secrets + SEALED_SECRETS_NAME: sealed-secrets + +tasks: + default: + desc: Run all checks (lint, validate, secrets scan) + cmds: + - task: lint + - task: validate + - task: secrets + + lint: + desc: Lint YAML files and shell scripts + cmds: + - task: lint:yaml + - task: lint:shell + + lint:yaml: + desc: Lint YAML files with yamllint + cmd: yamllint . + + lint:shell: + desc: Lint shell scripts with shellcheck + cmd: | + files=$(git ls-files '*.sh') + if [ -z "$files" ]; then + echo "No shell scripts to check." + else + echo "$files" | xargs shellcheck + fi + + fmt: + desc: Format all YAML files in-place with yamlfmt + cmd: yamlfmt . + + validate: + desc: Validate Kubernetes manifests with kubeconform + cmd: | + git ls-files '*.yaml' '*.yml' | xargs kubeconform \ + -strict \ + -summary \ + -ignore-missing-schemas \ + -schema-location '{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \ + -schema-location 'https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \ + -schema-location default + + secrets: + desc: Scan for leaked secrets with gitleaks + cmd: gitleaks detect --no-git -v --redact + + seal: + desc: "Seal a Kubernetes secret (usage: task seal INPUT=secret.yaml OUTPUT=secret-sealed.yaml)" + requires: + vars: [INPUT, OUTPUT] + cmd: | + kubeseal \ + --controller-namespace {{.SEALED_SECRETS_NS}} \ + --controller-name {{.SEALED_SECRETS_NAME}} \ + -f {{.INPUT}} \ + -w {{.OUTPUT}} + + bootstrap: + desc: Apply the ArgoCD root app-of-apps to the cluster + cmd: kubectl apply -f bootstrap/root-app-of-apps.yaml + + diff: + desc: "Diff a manifest against the live cluster (usage: task diff FILE=path/to/manifest.yaml)" + requires: + vars: [FILE] + cmd: kubectl diff -f {{.FILE}} diff --git a/devenv.lock b/devenv.lock index 43b0105..b0930f3 100644 --- a/devenv.lock +++ b/devenv.lock @@ -3,10 +3,11 @@ "devenv": { "locked": { "dir": "src/modules", - "lastModified": 1750529628, + "lastModified": 1782492839, + "narHash": "sha256-j9wrcB4al5QhMelEghJ0Qs+RQPT+wyCcI4070NEgPLQ=", "owner": "cachix", "repo": "devenv", - "rev": "cee0466541d357356b8c1ee0a61f3e0b94c7a54e", + "rev": "3d39d0817d62069f7b18821c34a617b5141cb278", "type": "github" }, "original": { @@ -19,14 +20,15 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1747046372, - "owner": "edolstra", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "NixOS", "repo": "flake-compat", "type": "github" } @@ -35,15 +37,14 @@ "inputs": { "flake-compat": "flake-compat", "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1749636823, + "lastModified": 1781733627, + "narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "623c56286de5a3193aa38891a6991b28f9bab056", + "rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39", "type": "github" }, "original": { @@ -61,6 +62,7 @@ }, "locked": { "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", "owner": "hercules-ci", "repo": "gitignore.nix", "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", @@ -74,10 +76,47 @@ }, "nixpkgs": { "locked": { - "lastModified": 1750441195, + "lastModified": 1770073757, + "narHash": "sha256-Vy+G+F+3E/Tl+GMNgiHl9Pah2DgShmIUBJXmbiQPHbI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "47472570b1e607482890801aeaf29bfb749884f6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-src": { + "flake": false, + "locked": { + "lastModified": 1781607440, + "narHash": "sha256-rxO+uc/KFbSJp+pgyXRuAX6QlG9hJdnt0BXpEQRXY+U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3e41b24abd260e8f71dbe2f5737d24122f972158", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "inputs": { + "nixpkgs-src": "nixpkgs-src" + }, + "locked": { + "lastModified": 1782132010, + "narHash": "sha256-ZnAVHdVrotp80iIMm5CSR1fdxPlw7Uwmwxb+O/wsgZ8=", "owner": "cachix", "repo": "devenv-nixpkgs", - "rev": "0ceffe312871b443929ff3006960d29b120dc627", + "rev": "12866ae2dddbc0ab8b329915f8072bb9c75bde89", "type": "github" }, "original": { @@ -91,13 +130,10 @@ "inputs": { "devenv": "devenv", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs", - "pre-commit-hooks": [ - "git-hooks" - ] + "nixpkgs": "nixpkgs_2" } } }, "root": "root", "version": 7 -} +} \ No newline at end of file diff --git a/devenv.nix b/devenv.nix index bcd2d5d..2ddbe97 100644 --- a/devenv.nix +++ b/devenv.nix @@ -20,6 +20,7 @@ shellcheck gitleaks yamlfmt + go-task ]; # https://devenv.sh/languages/ @@ -54,43 +55,46 @@ ''; # https://devenv.sh/pre-commit-hooks/ - # git-hooks.hooks = { - # check-yaml.enable = true; - # end-of-file-fixer.enable = true; - # trim-trailing-whitespace.enable = true; - # yamlfmt = { - # enable = true; - # entry = "yamlfmt"; - # args = ["-in-place"]; - # files = "\\.ya?ml$"; - # language = "system"; - # }; - # yamllint.enable = true; - # shellcheck.enable = true; - # - # kubeconform = { - # enable = true; - # entry = "kubeconform"; - # args = [ - # "-strict" - # "-summary" - # "-ignore-missing-schemas" - # "-schema-location" - # "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json" - # "-schema-location" - # "default" - # ]; - # files = "\\.ya?ml$"; - # }; - # - # gitleaks = { - # enable = true; - # entry = "gitleaks detect --no-git -v --redact"; - # language = "system"; - # pass_filenames = false; - # }; - # }; - # pre-commit.hooks.shellcheck.enable = true; + git-hooks.hooks = { + check-yaml.enable = true; + end-of-file-fixer.enable = true; + trim-trailing-whitespace.enable = true; + + yamlfmt = { + enable = true; + entry = "yamlfmt"; + args = ["-in-place"]; + files = "\\.ya?ml$"; + language = "system"; + }; + + yamllint.enable = true; + shellcheck.enable = true; + + kubeconform = { + enable = true; + entry = "kubeconform"; + args = [ + "-strict" + "-summary" + "-ignore-missing-schemas" + "-schema-location" + "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json" + "-schema-location" + "default" + ]; + files = "\\.ya?ml$"; + language = "system"; + pass_filenames = true; + }; + + gitleaks = { + enable = true; + entry = "gitleaks detect --no-git -v --redact"; + language = "system"; + pass_filenames = false; + }; + }; # See full reference at https://devenv.sh/reference/options/ } diff --git a/devenv.yaml b/devenv.yaml new file mode 100644 index 0000000..bdeb507 --- /dev/null +++ b/devenv.yaml @@ -0,0 +1,3 @@ +inputs: + git-hooks: + url: github:cachix/git-hooks.nix