ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

feature/waybar #15

Merged
ahuston-0 merged 8 commits from feature/waybar into main 2025-03-15 22:43:03 -04:00
Conversation 1 Commits 8 Files Changed 33 +522 -545
19 changed files with 522 additions and 545 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 02b8a6bc6c - Show all commits

331
.github/settings.yml vendored
View File

@ -1,204 +1,173 @@
# Have borrowed this config from nix-community/infra
repository:
# See https://developer.github.com/v3/repos/#edit for all available settings.
# See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests
#
labels:
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests
milestones:
- title: Go-Live
description: >-
All requirements for official go-live:
- Automated testing via Hydra/Actions
- Automated deployments via Hydra/Actions
- 90+% testing coverage
- Functional formatter with custom rules
- palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
- title: Go-Live
description: >-
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators:
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams:
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging.
# strict: false
# Required. The list of status checks to require in order to merge into this branch
# contexts:
# - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []

89
.github/workflows/flake-health-checks.yml vendored
View File

@ -1,48 +1,47 @@
name: "Check Nix flake"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix flake checks"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config
- run: nix ./utils/attic-push.bash
build-checks:
name: "Build nix outputs"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- name: Build all outputs
run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
health-check:
name: "Perform Nix flake checks"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config
- run: nix ./utils/attic-push.bash
build-checks:
name: "Build nix outputs"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- name: Build all outputs
run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true

206
.github/workflows/flake-update.yml vendored
View File

@ -1,116 +1,112 @@
name: "Update flakes"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
update_lockfile:
runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
rm update.log
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read file contents
id: read_file
uses: guibranco/github-file-reader-action-v2@latest
with:
path: "post-diff"
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
rm update.log
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read file contents
id: read_file
uses: guibranco/github-file-reader-action-v2@latest
with:
path: "post-diff"
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
```
${{ env.UPDATE_LOG }}
```
```
${{ env.UPDATE_LOG }}
```
```
${{ steps.read_file.outputs.contents }}
```
```
${{ steps.read_file.outputs.contents }}
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
permissions:
pull-requests: write
contents: write
pull-requests: write
contents: write

27
.github/workflows/lock-health-checks.yml vendored
View File

@ -1,17 +1,16 @@
name: "Check flake.lock"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true

45
.github/workflows/nix-fmt.yml vendored
View File

@ -1,26 +1,25 @@
name: "Check Nix formatting"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true

79
.sops.yaml
View File

@ -1,51 +1,46 @@
keys:
# The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
# The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
#- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable
servers: &servers
- *palatine-hill
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below
#
# update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules:
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill

4
.vscode/settings.json vendored
View File

@ -1,5 +1,7 @@
{
"cSpell.enableFiletypes": ["nix"],
"cSpell.enableFiletypes": [
"nix"
],
"cSpell.words": [
"aarch",
"abmlevel",

18
docs/CONTRIBUTING.md
View File

@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process
@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder
opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a
permanent solution
to either re-review the PR or to revert and replace the fix with a
permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed

120
docs/sample-setup.sh
View File

@ -1,9 +1,9 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
PROCEED="N"
@ -50,60 +50,58 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
if [ $CREATEPARTS = "Y" ]; then
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
sudo lvdisplay
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
sudo lvdisplay
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
# Mount partitions
@ -116,7 +114,7 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap"
sudo swapon "/dev/$VOLGROUP/swap"
fi
# Clone the repo
@ -135,31 +133,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups:
- pgp: *$OWNERORADMINS
age:
- *$MACHINENAME
EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi
read -r -p "press enter to continue"

4
systems/palatine-hill/attic/sync-attic.bash
View File

@ -2,9 +2,9 @@
#! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
sync_directories=(
/ZFS/ZFS-primary/hydra
/ZFS/ZFS-primary/hydra
)
for dir in "${sync_directories[@]}"; do
find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
done

4
systems/palatine-hill/docker/watchtower.bash
View File

@ -6,8 +6,8 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th
label="$1"
label_val="$2"
if (( $# != 2 )); then
echo "usage: $0 label label_value"
if (($# != 2)); then
echo "usage: $0 label label_value"
fi
containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")

18
treefmt.toml
View File

@ -12,3 +12,21 @@ command = "nixfmt"
#options = []
# Glob pattern of files to include
includes = [ "*.nix" ]
[formatter.jsonfmt]
command = "jsonfmt"
excludes = []
includes = ["*.json"]
options = ["-w"]
[formatter.shfmt]
command = "shfmt"
excludes = []
includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
options = ["-i", "2", "-s", "-w"]
[formatter.yamlfmt]
command = "yamlfmt"
excludes = []
includes = ["*.yaml", "*.yml"]
options = ["-formatter","indent=4"]

14
utils/attic-push.bash
View File

@ -11,18 +11,16 @@ set -e
# | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
# retrieve all paths
nix_paths=$(nix path-info --json --all --closure-size \
| jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
| jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
nix_paths=$(nix path-info --json --all --closure-size |
jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
readarray -t nix_path_array < <(echo "$nix_paths")
batchsize=1000
for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
do
part=( "${nix_path_array[@]:i:batchsize}" )
for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
part=("${nix_path_array[@]:i:batchsize}")
attic push nix-cache "${part[@]}"
attic push nix-cache "${part[@]}"
done

52
utils/attic-token.bash
View File

@ -1,8 +1,8 @@
#!/usr/bin/env bash
if (( $# != 3 )); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1
if (($# != 3)); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1
fi
cache="$1"
@ -10,27 +10,27 @@ cache_pattern="$2"
token_type="$3"
case $token_type in
"cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;;
"admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern"
;;
"writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern"
;;
"reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;;
*)
echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader"
exit 1
;;
"cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;;
"admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern"
;;
"writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern"
;;
"reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;;
*)
echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader"
exit 1
;;
esac

4
utils/eval-to-drv.sh
View File

@ -8,8 +8,8 @@ set -v
set -e
if [ "$#" -ne 1 ]; then
echo "$0 (pre|post)"
exit 1
echo "$0 (pre|post)"
exit 1
fi
script_path=$(dirname "$(readlink -f $0)")

8
utils/fetch-docker.sh
View File

@ -14,10 +14,10 @@ parent_path=$(dirname "$script_path")
# relpath is the relative path to the parent_path where you want the file written
# format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
images=(
"nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
"nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
)
IFS=","
while read -r name tag arch os relpath; do
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath"
done<<< "${images[@]}"
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath"
done <<<"${images[@]}"

2
utils/manual-update.sh
View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash
set -e
set -e
set -v
set -x

20
utils/sops-mergetool-new.sh
View File

@ -2,7 +2,10 @@
# Rename CLI parameters to friendlier names
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"; local_="$2"; remote="$3"; merged="$4"
base="$1"
local_="$2"
remote="$3"
merged="$4"
# Load the mergetool scripts
TOOL_MODE=merge
@ -20,7 +23,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit () {
handle_trap_exit() {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@ -30,12 +33,12 @@ handle_trap_exit () {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
# Create a merge-diff to compare against
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for the mergetool
@ -48,7 +51,7 @@ MERGED="$merged_decrypted"
BACKUP="$backup_decrypted"
# Override `check_unchanged` with a custom script
check_unchanged () {
check_unchanged() {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@ -61,5 +64,4 @@ check_unchanged () {
run_merge_tool "${mergetool}" true
# Re-encrypt content
sops --encrypt "$merged_decrypted" > "$merged"
sops --encrypt "$merged_decrypted" >"$merged"

22
utils/sops-mergetool.sh
View File

@ -6,7 +6,10 @@ set -x
# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"; local_="$2"; remote="$3"; merged="$4"
base="$1"
local_="$2"
remote="$3"
merged="$4"
echo "$base"
echo "$local_"
@ -18,7 +21,7 @@ echo "$merged"
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
exit 1
fi
@ -32,7 +35,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit () {
handle_trap_exit() {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@ -42,13 +45,13 @@ handle_trap_exit () {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"
@ -66,7 +69,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script
check_unchanged () {
check_unchanged() {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@ -82,5 +85,4 @@ merge_cmd
set -eu
# Re-encrypt content
sops --encrypt "$merged_decrypted" > "$merged"
sops --encrypt "$merged_decrypted" >"$merged"