Flake environment with pre-commit hook; CI to enforce them. (#2)

Reviewed-on: Fediversity/Fediversity#2
Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io>

.forgejo/workflow/ci.yaml

@@ -0,0 +1,16 @@
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+  push:
+    branches:
+      - main
+
+jobs:
+  check-pre-commit:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix build .#checks.x86_64-linux.pre-commit -L

.gitignore

@@ -1,3 +1,15 @@
+.DS_Store
+.idea
+*.log
+tmp/
+*.iso
+.proxmox
+/.pre-commit-config.yaml
+nixos.qcow2
 .envrc
 .direnv
-result
+result*
+.nixos-test-history
+*screenshot.png
+output
+todo

deployment/.gitignore

@@ -1,8 +0,0 @@
-.DS_Store
-.idea
-*.log
-tmp/
-*.iso
-result
-.proxmox
-.pre-commit-config.yaml

flake.lock

@@ -0,0 +1,149 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1730814269,
+        "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1730958623,
+        "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "85f7e662eda4fa3a995556527c87b2524b691933",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1730741070,
+        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1727672256,
+        "narHash": "sha256-9/79hjQc9+xyH+QxeMcRsA6hDyw6Z9Eo1/oxjvwirLk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "1719f27dd95fd4206afb9cec9f415b539978827e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,50 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    git-hooks.url = "github:cachix/git-hooks.nix";
+  };
+
+  outputs =
+    inputs@{ flake-parts, ... }:
+    flake-parts.lib.mkFlake { inherit inputs; } {
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+
+      imports = [ inputs.git-hooks.flakeModule ];
+
+      perSystem =
+        { config, pkgs, ... }:
+        {
+          formatter = pkgs.nixfmt-rfc-style;
+
+          pre-commit.settings.hooks =
+            ## Not everybody might want pre-commit hooks, so we make them
+            ## opt-in. Maybe one day we will decide to have them everywhere.
+            let
+              inherit (builtins) concatStringsSep;
+              optin = [
+                "deployment"
+                "services"
+              ];
+              files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
+            in
+            {
+              nixfmt-rfc-style = {
+                enable = true;
+                inherit files;
+              };
+              deadnix = {
+                enable = true;
+                inherit files;
+              };
+            };
+
+          devShells.default = pkgs.mkShell { shellHook = config.pre-commit.installationScript; };
+        };
+    };
+}

services/.gitignore

@@ -1,9 +0,0 @@
-nixos.qcow2
-result*
-.direnv
-.nixos-test-history
-*screenshot.png
-output
-todo
-
-/.pre-commit-config.yaml

services/fediversity/garage.nix

@@ -141,12 +141,8 @@ in
           types.submodule {
             # TODO: these should be managed as secrets, not in the nix store
             options = {
-              id = mkOption {
-                type = types.str;
-              };
-              secret = mkOption {
-                type = types.str;
-              };
+              id = mkOption { type = types.str; };
+              secret = mkOption { type = types.str; };
               # TODO: assert at least one of these is true
               # NOTE: this currently needs to be done at the top level module
               ensureAccess = mkOption {
@@ -184,9 +180,7 @@ in
       pkgs.awscli
     ];
 
-    networking.firewall.allowedTCPPorts = [
-      fedicfg.rpc.port
-    ];
+    networking.firewall.allowedTCPPorts = [ fedicfg.rpc.port ];
     services.garage = {
       enable = true;
       package = pkgs.garage_0_9;

services/fediversity/mastodon.nix

@@ -5,11 +5,7 @@ let
   };
 in
 
-{
-  config,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 
 lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
   #### garage setup

services/fediversity/peertube.nix

@@ -5,11 +5,7 @@ let
   };
 in
 
-{
-  config,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 
 lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
   networking.firewall.allowedTCPPorts = [

services/flake.nix

@@ -128,9 +128,7 @@
       };
 
       devShells.${system}.default = pkgs.mkShell {
-        inputs = with pkgs; [
-          nil
-        ];
+        inputs = with pkgs; [ nil ];
         shellHook = self.checks.${system}.pre-commit.shellHook;
       };
     };

services/installer.nix

@@ -42,9 +42,7 @@ let
       };
     in
     {
-      imports = [
-        "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
-      ];
+      imports = [ "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" ];
       nixpkgs.hostPlatform = "x86_64-linux";
       services.getty.autologinUser = lib.mkForce "root";
       programs.bash.loginShellInit = nixpkgs.lib.getExe bootstrap;

services/tests/mastodon-garage.nix

@@ -7,9 +7,7 @@ let
 
   seleniumScript =
     pkgs.writers.writePython3Bin "selenium-script"
-      {
-        libraries = with pkgs.python3Packages; [ selenium ];
-      }
+      { libraries = with pkgs.python3Packages; [ selenium ]; }
       ''
         from selenium import webdriver
         from selenium.webdriver.common.by import By

services/tests/pixelfed-garage.nix

@@ -54,9 +54,7 @@ let
 
   seleniumScriptPostPicture =
     pkgs.writers.writePython3Bin "selenium-script-post-picture"
-      {
-        libraries = with pkgs.python3Packages; [ selenium ];
-      }
+      { libraries = with pkgs.python3Packages; [ selenium ]; }
       ''
         import os
         import time
@@ -99,9 +97,7 @@ let
 
   seleniumScriptGetSrc =
     pkgs.writers.writePython3Bin "selenium-script-get-src"
-      {
-        libraries = with pkgs.python3Packages; [ selenium ];
-      }
+      { libraries = with pkgs.python3Packages; [ selenium ]; }
       ''
         ${seleniumImports}
         ${seleniumSetup}

services/vm/pixelfed-vm.nix

@@ -1,8 +1,4 @@
-{
-  lib,
-  modulesPath,
-  ...
-}:
+{ lib, modulesPath, ... }:
 
 let
   inherit (lib) mkVMOverride;