update devenv

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-06-26 20:50:44 -04:00
parent d16fa1c3e3
commit 185a4a7efb
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
5 changed files with 172 additions and 55 deletions

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
.devenv .devenv
apps/**/protonvpn-wg-secret.yaml apps/**/protonvpn-wg-secret.yaml
apps/**/*-secret.yaml apps/**/*-secret.yaml
apps/**/*-secrets.yaml

73
Taskfile.yaml Normal file
View file

@ -0,0 +1,73 @@
version: '3'
vars:
SEALED_SECRETS_NS: sealed-secrets
SEALED_SECRETS_NAME: sealed-secrets
tasks:
default:
desc: Run all checks (lint, validate, secrets scan)
cmds:
- task: lint
- task: validate
- task: secrets
lint:
desc: Lint YAML files and shell scripts
cmds:
- task: lint:yaml
- task: lint:shell
lint:yaml:
desc: Lint YAML files with yamllint
cmd: yamllint .
lint:shell:
desc: Lint shell scripts with shellcheck
cmd: |
files=$(git ls-files '*.sh')
if [ -z "$files" ]; then
echo "No shell scripts to check."
else
echo "$files" | xargs shellcheck
fi
fmt:
desc: Format all YAML files in-place with yamlfmt
cmd: yamlfmt .
validate:
desc: Validate Kubernetes manifests with kubeconform
cmd: |
git ls-files '*.yaml' '*.yml' | xargs kubeconform \
-strict \
-summary \
-ignore-missing-schemas \
-schema-location '{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \
-schema-location 'https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \
-schema-location default
secrets:
desc: Scan for leaked secrets with gitleaks
cmd: gitleaks detect --no-git -v --redact
seal:
desc: "Seal a Kubernetes secret (usage: task seal INPUT=secret.yaml OUTPUT=secret-sealed.yaml)"
requires:
vars: [INPUT, OUTPUT]
cmd: |
kubeseal \
--controller-namespace {{.SEALED_SECRETS_NS}} \
--controller-name {{.SEALED_SECRETS_NAME}} \
-f {{.INPUT}} \
-w {{.OUTPUT}}
bootstrap:
desc: Apply the ArgoCD root app-of-apps to the cluster
cmd: kubectl apply -f bootstrap/root-app-of-apps.yaml
diff:
desc: "Diff a manifest against the live cluster (usage: task diff FILE=path/to/manifest.yaml)"
requires:
vars: [FILE]
cmd: kubectl diff -f {{.FILE}}

View file

@ -3,10 +3,11 @@
"devenv": { "devenv": {
"locked": { "locked": {
"dir": "src/modules", "dir": "src/modules",
"lastModified": 1750529628, "lastModified": 1782492839,
"narHash": "sha256-j9wrcB4al5QhMelEghJ0Qs+RQPT+wyCcI4070NEgPLQ=",
"owner": "cachix", "owner": "cachix",
"repo": "devenv", "repo": "devenv",
"rev": "cee0466541d357356b8c1ee0a61f3e0b94c7a54e", "rev": "3d39d0817d62069f7b18821c34a617b5141cb278",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -19,14 +20,15 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1747046372, "lastModified": 1767039857,
"owner": "edolstra", "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "NixOS",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "edolstra", "owner": "NixOS",
"repo": "flake-compat", "repo": "flake-compat",
"type": "github" "type": "github"
} }
@ -35,15 +37,14 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"gitignore": "gitignore", "gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": "nixpkgs"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1749636823, "lastModified": 1781733627,
"narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "623c56286de5a3193aa38891a6991b28f9bab056", "rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -61,6 +62,7 @@
}, },
"locked": { "locked": {
"lastModified": 1709087332, "lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "gitignore.nix", "repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394", "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
@ -74,10 +76,47 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1750441195, "lastModified": 1770073757,
"narHash": "sha256-Vy+G+F+3E/Tl+GMNgiHl9Pah2DgShmIUBJXmbiQPHbI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "47472570b1e607482890801aeaf29bfb749884f6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-src": {
"flake": false,
"locked": {
"lastModified": 1781607440,
"narHash": "sha256-rxO+uc/KFbSJp+pgyXRuAX6QlG9hJdnt0BXpEQRXY+U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3e41b24abd260e8f71dbe2f5737d24122f972158",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"inputs": {
"nixpkgs-src": "nixpkgs-src"
},
"locked": {
"lastModified": 1782132010,
"narHash": "sha256-ZnAVHdVrotp80iIMm5CSR1fdxPlw7Uwmwxb+O/wsgZ8=",
"owner": "cachix", "owner": "cachix",
"repo": "devenv-nixpkgs", "repo": "devenv-nixpkgs",
"rev": "0ceffe312871b443929ff3006960d29b120dc627", "rev": "12866ae2dddbc0ab8b329915f8072bb9c75bde89",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -91,13 +130,10 @@
"inputs": { "inputs": {
"devenv": "devenv", "devenv": "devenv",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2"
"pre-commit-hooks": [
"git-hooks"
]
} }
} }
}, },
"root": "root", "root": "root",
"version": 7 "version": 7
} }

View file

@ -20,6 +20,7 @@
shellcheck shellcheck
gitleaks gitleaks
yamlfmt yamlfmt
go-task
]; ];
# https://devenv.sh/languages/ # https://devenv.sh/languages/
@ -54,43 +55,46 @@
''; '';
# https://devenv.sh/pre-commit-hooks/ # https://devenv.sh/pre-commit-hooks/
# git-hooks.hooks = { git-hooks.hooks = {
# check-yaml.enable = true; check-yaml.enable = true;
# end-of-file-fixer.enable = true; end-of-file-fixer.enable = true;
# trim-trailing-whitespace.enable = true; trim-trailing-whitespace.enable = true;
# yamlfmt = {
# enable = true; yamlfmt = {
# entry = "yamlfmt"; enable = true;
# args = ["-in-place"]; entry = "yamlfmt";
# files = "\\.ya?ml$"; args = ["-in-place"];
# language = "system"; files = "\\.ya?ml$";
# }; language = "system";
# yamllint.enable = true; };
# shellcheck.enable = true;
# yamllint.enable = true;
# kubeconform = { shellcheck.enable = true;
# enable = true;
# entry = "kubeconform"; kubeconform = {
# args = [ enable = true;
# "-strict" entry = "kubeconform";
# "-summary" args = [
# "-ignore-missing-schemas" "-strict"
# "-schema-location" "-summary"
# "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json" "-ignore-missing-schemas"
# "-schema-location" "-schema-location"
# "default" "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json"
# ]; "-schema-location"
# files = "\\.ya?ml$"; "default"
# }; ];
# files = "\\.ya?ml$";
# gitleaks = { language = "system";
# enable = true; pass_filenames = true;
# entry = "gitleaks detect --no-git -v --redact"; };
# language = "system";
# pass_filenames = false; gitleaks = {
# }; enable = true;
# }; entry = "gitleaks detect --no-git -v --redact";
# pre-commit.hooks.shellcheck.enable = true; language = "system";
pass_filenames = false;
};
};
# See full reference at https://devenv.sh/reference/options/ # See full reference at https://devenv.sh/reference/options/
} }

3
devenv.yaml Normal file
View file

@ -0,0 +1,3 @@
inputs:
git-hooks:
url: github:cachix/git-hooks.nix