Full rewrite of devshell

migrates pre-commit to cachix's pre-commit-hooks

adds a ton of new hooks:
- check-added-large-files
- check-case-conflicts
- check-json
- check-merge-conflicts
- detect-private-keys
- fmt-check
- nil
- no-commit-to-branch
- statix (disabled for now)

migrates devshell to new devshells, set up modularly to have separate
functionality for sops, pre-commit-hooks, and our custom packages

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

checks.nix

@@ -0,0 +1,39 @@
+{
+  inputs,
+  forEachSystem,
+  formatter,
+  ...
+}:
+forEachSystem (system: {
+  pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
+    src = ./.;
+    hooks = {
+      # nix checks
+      # Example custom hook for nix formatting:
+      fmt-check = {
+        enable = true;
+
+        # The command to execute (mandatory):
+        entry = "${formatter.${system}}/bin/nixfmt --check";
+
+        # The pattern of files to run on (default: "" (all))
+        # see also https://pre-commit.com/#hooks-files
+        files = "\\.nix$";
+      };
+      nil.enable = true;
+      statix.enable = false;
+
+      # json hooks
+      check-json.enable = true;
+
+      # git hooks
+      check-merge-conflicts.enable = true;
+      no-commit-to-branch.enable = true;
+
+      # misc hooks
+      check-added-large-files.enable = true;
+      check-case-conflicts.enable = true;
+      detect-private-keys.enable = true;
+    };
+  };
+})

flake.lock

@@ -102,6 +102,22 @@
         "type": "github"
       }
     },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -176,6 +192,27 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -431,6 +468,31 @@
         "type": "github"
       }
     },
+    "pre-commit-hooks_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1715870890,
+        "narHash": "sha256-nacSOeXtUEM77Gn0G4bTdEOeFIrkCBXiyyFZtdGwuH0=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "fa606cccd7b0ccebe2880051208e4a0f61bfc8c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "attic": "attic",
@@ -445,6 +507,7 @@
         "nixos-modules": "nixos-modules",
         "nixpkgs": "nixpkgs",
         "nixpkgs-stable": "nixpkgs-stable",
+        "pre-commit-hooks": "pre-commit-hooks_2",
         "rust-overlay": "rust-overlay",
         "sops-nix": "sops-nix",
         "systems": "systems",

flake.nix

@@ -78,6 +78,14 @@
         };
       };
 
+      pre-commit-hooks = {
+        url = "github:cachix/pre-commit-hooks.nix";
+        inputs = {
+          nixpkgs.follows = "nixpkgs";
+          nixpkgs-stable.follows = "nixpkgs-stable";
+        };
+      };
+
       wired-notify = {
         url = "github:Toqozz/wired-notify";
         inputs = {
@@ -127,8 +135,6 @@
       ...
     }@inputs:
     let
-
-      inherit (self) outputs;
       systems = [
         "x86_64-linux"
         "aarch64-linux"
@@ -139,23 +145,6 @@
       # gets the base path of the repo
       src = builtins.path { path = ./.; };
 
-      config = {
-        repos = [
-          {
-            repo = "local";
-            hooks = [
-              {
-                id = "nix fmt check";
-                entry = "${outputs.formatter.x86_64-linux}/bin/nixfmt";
-                args = [ "--check" ];
-                language = "system";
-                files = "\\.nix";
-              }
-            ];
-          }
-        ];
-      };
-
       # adds our lib functions to lib namespace
       lib = nixpkgs.lib.extend (
         self: super:
@@ -166,7 +155,7 @@
       );
       inherit (lib.rad-dev.systems) genSystems;
     in
-    {
+    rec {
       inherit (self) outputs; # for hydra
       inherit lib; # for allowing use of custom functions in nix repl
 
@@ -174,21 +163,29 @@
       formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
 
       nixosConfigurations = genSystems inputs src (src + "/systems");
-
+      checks = import ./checks.nix { inherit inputs forEachSystem formatter; };
-      devShell = lib.mapAttrs (
+      devShells = import ./shell.nix {
-        system: sopsPkgs:
+        inherit
-        with nixpkgs.legacyPackages.${system};
+          forEachSystem
-        mkShell {
+          nixpkgs
-          sopsPGPKeyDirs = [ "./keys" ];
+          checks
-          nativeBuildInputs = [ sopsPkgs.sops-import-keys-hook ];
+          sops-nix
-          packages = [
+          ;
-            self.formatter.${system}
+      };
-            nixpkgs.legacyPackages.${system}.deadnix
+      # devShell = lib.mapAttrs (
-            nixpkgs.legacyPackages.${system}.treefmt
+      #   system: sopsPkgs:
-            nixpkgs.legacyPackages.${system}.pre-commit
+      #   with nixpkgs.legacyPackages.${system};
-          ];
+      #   mkShell {
-          shellHook = (nix-pre-commit.lib.${system}.mkConfig { inherit pkgs config; }).shellHook;
+      #     sopsPGPKeyDirs = [ "./keys" ];
-        }
+      #     nativeBuildInputs = [ sopsPkgs.sops-import-keys-hook ];
-      ) sops-nix.packages;
+      #     packages = [
+      #       self.formatter.${system}
+      #       nixpkgs.legacyPackages.${system}.deadnix
+      #       nixpkgs.legacyPackages.${system}.treefmt
+      #       nixpkgs.legacyPackages.${system}.pre-commit
+      #     ];
+      #     shellHook = (nix-pre-commit.lib.${system}.mkConfig { inherit pkgs config; }).shellHook;
+      #   }
+      # ) sops-nix.packages;
     };
 }

shell.nix

@@ -0,0 +1,40 @@
+{
+  forEachSystem,
+  nixpkgs,
+  checks,
+  sops-nix,
+  ...
+}:
+
+forEachSystem (
+  system:
+  let
+    pkgs = nixpkgs.legacyPackages.${system};
+    pre-commit = pkgs.mkShell {
+      inherit (checks.${system}.pre-commit-check) shellHook;
+      buildInputs = checks.${system}.pre-commit-check.enabledPackages;
+    };
+    sops = pkgs.mkShell {
+      sopsPGPKeyDirs = [ "./keys" ];
+      packages = [
+        pkgs.sops
+        sops-nix.packages.${system}.sops-import-keys-hook
+      ];
+    };
+    rad-dev = pkgs.mkShell {
+      packages = with pkgs; [
+        deadnix
+        pre-commit
+      ];
+    };
+  in
+  {
+    default = pkgs.mkShell {
+      inputsFrom = [
+        pre-commit
+        rad-dev
+        sops
+      ];
+    };
+  }
+)