update devenv
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
d16fa1c3e3
commit
185a4a7efb
5 changed files with 172 additions and 55 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -1,3 +1,4 @@
|
||||||
.devenv
|
.devenv
|
||||||
apps/**/protonvpn-wg-secret.yaml
|
apps/**/protonvpn-wg-secret.yaml
|
||||||
apps/**/*-secret.yaml
|
apps/**/*-secret.yaml
|
||||||
|
apps/**/*-secrets.yaml
|
||||||
|
|
|
||||||
73
Taskfile.yaml
Normal file
73
Taskfile.yaml
Normal file
|
|
@ -0,0 +1,73 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
vars:
|
||||||
|
SEALED_SECRETS_NS: sealed-secrets
|
||||||
|
SEALED_SECRETS_NAME: sealed-secrets
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
default:
|
||||||
|
desc: Run all checks (lint, validate, secrets scan)
|
||||||
|
cmds:
|
||||||
|
- task: lint
|
||||||
|
- task: validate
|
||||||
|
- task: secrets
|
||||||
|
|
||||||
|
lint:
|
||||||
|
desc: Lint YAML files and shell scripts
|
||||||
|
cmds:
|
||||||
|
- task: lint:yaml
|
||||||
|
- task: lint:shell
|
||||||
|
|
||||||
|
lint:yaml:
|
||||||
|
desc: Lint YAML files with yamllint
|
||||||
|
cmd: yamllint .
|
||||||
|
|
||||||
|
lint:shell:
|
||||||
|
desc: Lint shell scripts with shellcheck
|
||||||
|
cmd: |
|
||||||
|
files=$(git ls-files '*.sh')
|
||||||
|
if [ -z "$files" ]; then
|
||||||
|
echo "No shell scripts to check."
|
||||||
|
else
|
||||||
|
echo "$files" | xargs shellcheck
|
||||||
|
fi
|
||||||
|
|
||||||
|
fmt:
|
||||||
|
desc: Format all YAML files in-place with yamlfmt
|
||||||
|
cmd: yamlfmt .
|
||||||
|
|
||||||
|
validate:
|
||||||
|
desc: Validate Kubernetes manifests with kubeconform
|
||||||
|
cmd: |
|
||||||
|
git ls-files '*.yaml' '*.yml' | xargs kubeconform \
|
||||||
|
-strict \
|
||||||
|
-summary \
|
||||||
|
-ignore-missing-schemas \
|
||||||
|
-schema-location '{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \
|
||||||
|
-schema-location 'https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{`{{.ResourceKind}}`}}-{{`{{.ResourceAPIVersion}}`}}.json' \
|
||||||
|
-schema-location default
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
desc: Scan for leaked secrets with gitleaks
|
||||||
|
cmd: gitleaks detect --no-git -v --redact
|
||||||
|
|
||||||
|
seal:
|
||||||
|
desc: "Seal a Kubernetes secret (usage: task seal INPUT=secret.yaml OUTPUT=secret-sealed.yaml)"
|
||||||
|
requires:
|
||||||
|
vars: [INPUT, OUTPUT]
|
||||||
|
cmd: |
|
||||||
|
kubeseal \
|
||||||
|
--controller-namespace {{.SEALED_SECRETS_NS}} \
|
||||||
|
--controller-name {{.SEALED_SECRETS_NAME}} \
|
||||||
|
-f {{.INPUT}} \
|
||||||
|
-w {{.OUTPUT}}
|
||||||
|
|
||||||
|
bootstrap:
|
||||||
|
desc: Apply the ArgoCD root app-of-apps to the cluster
|
||||||
|
cmd: kubectl apply -f bootstrap/root-app-of-apps.yaml
|
||||||
|
|
||||||
|
diff:
|
||||||
|
desc: "Diff a manifest against the live cluster (usage: task diff FILE=path/to/manifest.yaml)"
|
||||||
|
requires:
|
||||||
|
vars: [FILE]
|
||||||
|
cmd: kubectl diff -f {{.FILE}}
|
||||||
72
devenv.lock
72
devenv.lock
|
|
@ -3,10 +3,11 @@
|
||||||
"devenv": {
|
"devenv": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"dir": "src/modules",
|
"dir": "src/modules",
|
||||||
"lastModified": 1750529628,
|
"lastModified": 1782492839,
|
||||||
|
"narHash": "sha256-j9wrcB4al5QhMelEghJ0Qs+RQPT+wyCcI4070NEgPLQ=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "devenv",
|
"repo": "devenv",
|
||||||
"rev": "cee0466541d357356b8c1ee0a61f3e0b94c7a54e",
|
"rev": "3d39d0817d62069f7b18821c34a617b5141cb278",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -19,14 +20,15 @@
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1747046372,
|
"lastModified": 1767039857,
|
||||||
"owner": "edolstra",
|
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
|
||||||
|
"owner": "NixOS",
|
||||||
"repo": "flake-compat",
|
"repo": "flake-compat",
|
||||||
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
|
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "edolstra",
|
"owner": "NixOS",
|
||||||
"repo": "flake-compat",
|
"repo": "flake-compat",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
|
@ -35,15 +37,14 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
"gitignore": "gitignore",
|
"gitignore": "gitignore",
|
||||||
"nixpkgs": [
|
"nixpkgs": "nixpkgs"
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1749636823,
|
"lastModified": 1781733627,
|
||||||
|
"narHash": "sha256-U3yTuGBnmXvXoQI3qkpfEDsn9RovQPAjN7ndRco+3u0=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "git-hooks.nix",
|
"repo": "git-hooks.nix",
|
||||||
"rev": "623c56286de5a3193aa38891a6991b28f9bab056",
|
"rev": "3bbec39bc90eadfa031e6f3b77272f3f60803e39",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -61,6 +62,7 @@
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1709087332,
|
"lastModified": 1709087332,
|
||||||
|
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "gitignore.nix",
|
"repo": "gitignore.nix",
|
||||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||||
|
|
@ -74,10 +76,47 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1750441195,
|
"lastModified": 1770073757,
|
||||||
|
"narHash": "sha256-Vy+G+F+3E/Tl+GMNgiHl9Pah2DgShmIUBJXmbiQPHbI=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "47472570b1e607482890801aeaf29bfb749884f6",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-src": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1781607440,
|
||||||
|
"narHash": "sha256-rxO+uc/KFbSJp+pgyXRuAX6QlG9hJdnt0BXpEQRXY+U=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "3e41b24abd260e8f71dbe2f5737d24122f972158",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs-src": "nixpkgs-src"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1782132010,
|
||||||
|
"narHash": "sha256-ZnAVHdVrotp80iIMm5CSR1fdxPlw7Uwmwxb+O/wsgZ8=",
|
||||||
"owner": "cachix",
|
"owner": "cachix",
|
||||||
"repo": "devenv-nixpkgs",
|
"repo": "devenv-nixpkgs",
|
||||||
"rev": "0ceffe312871b443929ff3006960d29b120dc627",
|
"rev": "12866ae2dddbc0ab8b329915f8072bb9c75bde89",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -91,13 +130,10 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"devenv": "devenv",
|
"devenv": "devenv",
|
||||||
"git-hooks": "git-hooks",
|
"git-hooks": "git-hooks",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs_2"
|
||||||
"pre-commit-hooks": [
|
|
||||||
"git-hooks"
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
"version": 7
|
"version": 7
|
||||||
}
|
}
|
||||||
78
devenv.nix
78
devenv.nix
|
|
@ -20,6 +20,7 @@
|
||||||
shellcheck
|
shellcheck
|
||||||
gitleaks
|
gitleaks
|
||||||
yamlfmt
|
yamlfmt
|
||||||
|
go-task
|
||||||
];
|
];
|
||||||
|
|
||||||
# https://devenv.sh/languages/
|
# https://devenv.sh/languages/
|
||||||
|
|
@ -54,43 +55,46 @@
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# https://devenv.sh/pre-commit-hooks/
|
# https://devenv.sh/pre-commit-hooks/
|
||||||
# git-hooks.hooks = {
|
git-hooks.hooks = {
|
||||||
# check-yaml.enable = true;
|
check-yaml.enable = true;
|
||||||
# end-of-file-fixer.enable = true;
|
end-of-file-fixer.enable = true;
|
||||||
# trim-trailing-whitespace.enable = true;
|
trim-trailing-whitespace.enable = true;
|
||||||
# yamlfmt = {
|
|
||||||
# enable = true;
|
yamlfmt = {
|
||||||
# entry = "yamlfmt";
|
enable = true;
|
||||||
# args = ["-in-place"];
|
entry = "yamlfmt";
|
||||||
# files = "\\.ya?ml$";
|
args = ["-in-place"];
|
||||||
# language = "system";
|
files = "\\.ya?ml$";
|
||||||
# };
|
language = "system";
|
||||||
# yamllint.enable = true;
|
};
|
||||||
# shellcheck.enable = true;
|
|
||||||
#
|
yamllint.enable = true;
|
||||||
# kubeconform = {
|
shellcheck.enable = true;
|
||||||
# enable = true;
|
|
||||||
# entry = "kubeconform";
|
kubeconform = {
|
||||||
# args = [
|
enable = true;
|
||||||
# "-strict"
|
entry = "kubeconform";
|
||||||
# "-summary"
|
args = [
|
||||||
# "-ignore-missing-schemas"
|
"-strict"
|
||||||
# "-schema-location"
|
"-summary"
|
||||||
# "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json"
|
"-ignore-missing-schemas"
|
||||||
# "-schema-location"
|
"-schema-location"
|
||||||
# "default"
|
"https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json"
|
||||||
# ];
|
"-schema-location"
|
||||||
# files = "\\.ya?ml$";
|
"default"
|
||||||
# };
|
];
|
||||||
#
|
files = "\\.ya?ml$";
|
||||||
# gitleaks = {
|
language = "system";
|
||||||
# enable = true;
|
pass_filenames = true;
|
||||||
# entry = "gitleaks detect --no-git -v --redact";
|
};
|
||||||
# language = "system";
|
|
||||||
# pass_filenames = false;
|
gitleaks = {
|
||||||
# };
|
enable = true;
|
||||||
# };
|
entry = "gitleaks detect --no-git -v --redact";
|
||||||
# pre-commit.hooks.shellcheck.enable = true;
|
language = "system";
|
||||||
|
pass_filenames = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# See full reference at https://devenv.sh/reference/options/
|
# See full reference at https://devenv.sh/reference/options/
|
||||||
}
|
}
|
||||||
|
|
|
||||||
3
devenv.yaml
Normal file
3
devenv.yaml
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
inputs:
|
||||||
|
git-hooks:
|
||||||
|
url: github:cachix/git-hooks.nix
|
||||||
Loading…
Add table
Add a link
Reference in a new issue