nix-dotfiles/docs/CONTRIBUTING.md

# Contributing to nix-dotfiles

## Preliminary info

This repository is written using nix flakes on nix-unstable all the way
through. We do not currently have a way to provide support for NixOS stable
releases and nor do we plan to (please open an issue if that
is a breaking issue so we can better understand your use-case).

## Pre-commit hooks

We use pre-commit hooks for validating code before it is pushed into the repo.
Please install `direnv` and run `direnv allow` in the project directory to
add the pre-commit-hooks to your workflow. We will reject PRs if we notice
violations in the pre-commit checks.

To disable pre-commit hooks from your shell, run `touch .noprecommit` in the
top-level of the repo. This will not stop the checks from running during the PR
checks, but will prevent them from running in the direnv environment when
inconvenient.

## Active Development

To contribute to the repo, you can either ask to have a role (for those who are
adding machines to the repo), or fork the repo and open a PR (for those who are
making external contributions).

Our main branch has branch-protection (not even admins can directly push to
main) and all PRs require at least one approval. PRs which touch global files
(`flake.nix`, `modules/`, `systems/configuration.nix`, `.sops.yaml`, etc)
must have two approvals and may require more subject to the approvers discretion
(ie. a change which affect all servers or users).

### Branching

We use the below guide for creating branches currently. It is not necessarily
a strict standard, but if not followed will lead to questions from reviewers,
and will eventually trip a check when merging to main.

| Branch Name      | Use Case                                                                                                                                                                                                                      |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main             | protected branch which all machines pull from, do not try to push directly                                                                                                                                                    |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use                                                                                                                                                       |
| fixup/\<item>   | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical                                                                                         |
| hotfix/\<item>  | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item>  | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues                                                                                                           |
| exp/\<item>     | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches                                                                                                  |
| merge/\<item>   | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch                                          |

### Review Process

For PR's that impact personal files (personal SOPS files, SSH keys, your laptops,
your servers), those can be added with one approval and will eventually be
auto-approved. However, for PR's affecting global files you need two
approvals based on the latest commit (stale approvals will not work).

In the event that quorum cannot be reached on approvals (specifically members
that cannot approve who normally would), the PR will be marked as *draft* unless
a member who is unable to approve defers their approval power. This deferral
must be publicly acknowledged in the PR and confirmed by another member.
This process essentially acknowledges that at least two people besides the
author are aware of the PR, however the third is deferring their approval powers
to those already involved.

This quorum rule can only be overrided for critical items (branches beginning
in `hotfix/` or `urgent/`), but an additional reviewer must be tagged regardless
and the assignee must assert that the PR has been tested on at least one
machine. Please see [Critical Issues](#critical-issues) for further details.

### Nix Project

All issues must be tagged to the `Nix Flake Features` project, and any PR's
which do not have an associated issue must be tagged to the same. It is
**highly recommended** that all PR's be tagged to an issue but PR's should
not be rejected if they are not tagged to an issue.

Any issue or PR that is tagged to the project must have a priority
(High/Medium/Low) and an estimate (rough amount of time in hours) associated.
Start dateand end date must be included for non-critical items (branches not
beginning with `hotfix/` or `urgent/`). This is done in order to understand
effort and criticality of the project item. Please see
[Critical Issues](#critical-issues) for further details.

### Critical Issues

As previously described, a critical issue is one which has a branch associated
with it beginning with `urgent/` or `hotfix/`. Any reviewer who is going to
review one of these PR's must assert that they have read and understood these
rules.

#### Implications

- Critical issues may bypass the [quorum rules](#review-process), as long as the
  PR has been tested on at least one machine
   - Issues which bypass the quorum process must have a second reviewer tagged
   - All critical issues which bypass the approval process must have an RCA issue
     opened and the RCA logged into the `inc/` folder
   - The second reviewer has 2 weeks to retroactively review and approve the PR
   - If the retro does not happen in the given window, an issue shall be opened
     to either re-review the PR or to revert and replace the fix with a
     permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have
  a priority of `High` and an estimate tagged. Start and end date are not needed

## Secrets

We allow secrets to be embedded in the repository using `sops-nix`. As part of
the process everything is encrypted, however adding a new user is a change
that every existing SOPS user needs to participate in. Please reach out to
[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested
in using secrets on your machines.

## CI/CD

Our CI is currently a detached Hydra instance, which does not provide
feedback to the repository. Research is being done into a GitHub bot which will
provide live feedback on PR's and such.

Deployments are managed via two services for servers, one is the standard
`nixos-upgrade.service` which is bundled into NixOS. The current configuration
is that the `main` branch will be build every 24 hours on a per-server basis.
The other service is a custom `autopull@dotfiles.service`, which by default
will pull the `main` branch into `/root/dotfiles`. This service can be disabled
if you do not want it, but it is rather useful for experimenting and debugging.
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00			`# Contributing to nix-dotfiles`

			`## Preliminary info`

updates to docs Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 18:38:53 -04:00			`This repository is written using nix flakes on nix-unstable all the way`
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00			`through. We do not currently have a way to provide support for NixOS stable`
			`releases and nor do we plan to (please open an issue if that`
			`is a breaking issue so we can better understand your use-case).`

updates to docs Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 18:38:53 -04:00			`## Pre-commit hooks`
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00
updates to docs Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 18:38:53 -04:00			`We use pre-commit hooks for validating code before it is pushed into the repo.`
			Please install `direnv` and run `direnv allow` in the project directory to
			`add the pre-commit-hooks to your workflow. We will reject PRs if we notice`
			`violations in the pre-commit checks.`
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00
allow temporarily disabling pre-commit hooks 2024-07-28 01:13:04 -04:00			To disable pre-commit hooks from your shell, run `touch .noprecommit` in the
			`top-level of the repo. This will not stop the checks from running during the PR`
			`checks, but will prevent them from running in the direnv environment when`
			`inconvenient.`

Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00			`## Active Development`

updates to docs Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 18:38:53 -04:00			`To contribute to the repo, you can either ask to have a role (for those who are`
			`adding machines to the repo), or fork the repo and open a PR (for those who are`
			`making external contributions).`
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00
updates to docs Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 18:38:53 -04:00			`Our main branch has branch-protection (not even admins can directly push to`
			`main) and all PRs require at least one approval. PRs which touch global files`
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00			(`flake.nix`, `modules/`, `systems/configuration.nix`, `.sops.yaml`, etc)
			`must have two approvals and may require more subject to the approvers discretion`
			`(ie. a change which affect all servers or users).`

			`### Branching`

			`We use the below guide for creating branches currently. It is not necessarily`
			`a strict standard, but if not followed will lead to questions from reviewers,`
			`and will eventually trip a check when merging to main.`

updates to docs Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 18:38:53 -04:00			`\| Branch Name \| Use Case \|`
			`\|------------------\|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\|`
			`\| main \| protected branch which all machines pull from, do not try to push directly \|`
format json/yml/sh 2025-03-13 17:50:03 -04:00			`\| feature/\<item> \| \<item> is a new feature added to the repo, for personal or common use \|`
			`\| fixup/\<item> \| \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical \|`
			`\| hotfix/\<item> \| \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process \|`
			`\| urgent/\<item> \| Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues \|`
			`\| exp/\<item> \| \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches \|`
			`\| merge/\<item> \| \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch \|`
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00
Add additional info for critical issues and the review process Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-11 15:13:29 -05:00			`### Review Process`

			`For PR's that impact personal files (personal SOPS files, SSH keys, your laptops,`
			`your servers), those can be added with one approval and will eventually be`
			`auto-approved. However, for PR's affecting global files you need two`
			`approvals based on the latest commit (stale approvals will not work).`

			`In the event that quorum cannot be reached on approvals (specifically members`
updates to docs Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 18:38:53 -04:00			`that cannot approve who normally would), the PR will be marked as draft unless`
Add additional info for critical issues and the review process Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-11 15:13:29 -05:00			`a member who is unable to approve defers their approval power. This deferral`
			`must be publicly acknowledged in the PR and confirmed by another member.`
			`This process essentially acknowledges that at least two people besides the`
			`author are aware of the PR, however the third is deferring their approval powers`
			`to those already involved.`

			`This quorum rule can only be overrided for critical items (branches beginning`
			in `hotfix/` or `urgent/`), but an additional reviewer must be tagged regardless
			`and the assignee must assert that the PR has been tested on at least one`
			`machine. Please see [Critical Issues](#critical-issues) for further details.`

			`### Nix Project`

			All issues must be tagged to the `Nix Flake Features` project, and any PR's
			`which do not have an associated issue must be tagged to the same. It is`
			`highly recommended that all PR's be tagged to an issue but PR's should`
			`not be rejected if they are not tagged to an issue.`

fix list alignment Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 19:00:43 -04:00			`Any issue or PR that is tagged to the project must have a priority`
			`(High/Medium/Low) and an estimate (rough amount of time in hours) associated.`
			`Start dateand end date must be included for non-critical items (branches not`
			beginning with `hotfix/` or `urgent/`). This is done in order to understand
			`effort and criticality of the project item. Please see`
			`[Critical Issues](#critical-issues) for further details.`
Add additional info for critical issues and the review process Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-11 15:13:29 -05:00
			`### Critical Issues`

			`As previously described, a critical issue is one which has a branch associated`
			with it beginning with `urgent/` or `hotfix/`. Any reviewer who is going to
			`review one of these PR's must assert that they have read and understood these`
			`rules.`

			`#### Implications`

			`- Critical issues may bypass the [quorum rules](#review-process), as long as the`
			`PR has been tested on at least one machine`
fix markdown linting issuew with contributors guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 19:59:34 -04:00			`- Issues which bypass the quorum process must have a second reviewer tagged`
			`- All critical issues which bypass the approval process must have an RCA issue`
format json/yml/sh 2025-03-13 17:50:03 -04:00			opened and the RCA logged into the `inc/` folder
fix markdown linting issuew with contributors guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-07-07 19:59:34 -04:00			`- The second reviewer has 2 weeks to retroactively review and approve the PR`
			`- If the retro does not happen in the given window, an issue shall be opened`
format json/yml/sh 2025-03-13 17:50:03 -04:00			`to either re-review the PR or to revert and replace the fix with a`
			`permanent solution`
Add additional info for critical issues and the review process Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-11 15:13:29 -05:00			- Critical issues must be tagged to `Nix Flake Features` project, and must have
			a priority of `High` and an estimate tagged. Start and end date are not needed

Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00			`## Secrets`

			We allow secrets to be embedded in the repository using `sops-nix`. As part of
			`the process everything is encrypted, however adding a new user is a change`
			`that every existing SOPS user needs to participate in. Please reach out to`
remove references to richie/rad Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2025-04-01 13:59:09 -04:00			`[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested`
Add basic contributing guide Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-02-08 22:21:43 -05:00			`in using secrets on your machines.`

			`## CI/CD`

			`Our CI is currently a detached Hydra instance, which does not provide`
			`feedback to the repository. Research is being done into a GitHub bot which will`
			`provide live feedback on PR's and such.`

			`Deployments are managed via two services for servers, one is the standard`
			`nixos-upgrade.service` which is bundled into NixOS. The current configuration
			is that the `main` branch will be build every 24 hours on a per-server basis.
			The other service is a custom `autopull@dotfiles.service`, which by default
			will pull the `main` branch into `/root/dotfiles`. This service can be disabled
			`if you do not want it, but it is rather useful for experimenting and debugging.`