dotfiles/checks/pre-commit/default.nix

{
  inputs,
  system,
  lib,
  pkgs,
  ...
}: let
  inherit
    (lib)
    mkIf
    elem
    getExe
    pipe
    concatStringsSep
    makeBinPath
    ;
  supportedSystems = [
    "x86_64-linux"
    "aarch64-linux"
  ];

  ipv4Allowed =
    pipe [
      "127.0.0.1"
      "8.8.8.8"
      "64.225.104.221"
      "93.184.77.2"
      "67.207.67.3"
      "64.225.96.1"
      "5.5.5.5"
      "255.255.255.255"
      "2.9.0.1"
      "127.0.0.0"
    ] [
      (concatStringsSep "\n")
      (pkgs.writeText "allowed_ipv4.txt")
    ];

  ip-search = pkgs.writeShellScriptBin "ip-search" ''
    export PATH="${makeBinPath [pkgs.ripgrep]}:$PATH"
    _ipv4_regex='((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)'
    _ipv4_matches=()

    mapfile -t _ipv4_matches < <( rg "$_ipv4_regex" . -oNI | sort | uniq )

    _ipv6_regex='a'
    _ipv6_matches=()

    # TODO

    _ipv4_allowed=()
    mapfile -t _ipv4_allowed < ${ipv4Allowed}

    _ipv4_offending=()
    mapfile -t _ipv4_offending < <( diff -U 1 \
        <( echo ''${_ipv4_matches[@]} | tr ' ' '\n' | sort | uniq -u ) \
        <( echo ''${_ipv4_allowed[@]} | tr ' ' '\n' | sort | uniq -u ) \
        | grep '^-' \
        | cut -b 2- \
        | tail +2 )

    for _offending in ''${_ipv4_offending[@]} ; do
      echo "found offending ipv4 address $_offending in file(s):"

      mapfile -t _files < <( rg -FoN "$_offending" . | cut -f 1 -d : | sort | uniq )
      for _file in ''${_files[@]} ; do
        echo $'  - '"$_file"
      done
    done

    echo "Found ''${#_ipv4_offending[@]} offending ipv4 addresses"

    exit 69
  '';
in
  mkIf (elem system supportedSystems) (inputs.pre-commit-hooks.lib.${system}.run {
    imports = [
      ./modules/ip-search.nix
      {
        _module.args = {
          inherit inputs;
        };
      }
    ];
    src = ./../..;
    hooks = {
      alejandra.enable = true;

      ## produces a lot of annoying lints, disable until specific lints can be disabled per file
      ## https://github.com/oppiliappan/statix/issues/61
      # statix.enable = true;

      ip-search = {
        enable = true;
      };
    };
  })
Improve git-hooks infrastructure, add ip hook Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-07-13 20:53:54 +02:00			`{`
			`inputs,`
			`system,`
			`lib,`
			`pkgs,`
			`...`
			`}: let`
			`inherit`
			`(lib)`
			`mkIf`
			`elem`
			`getExe`
			`pipe`
			`concatStringsSep`
			`makeBinPath`
			`;`
			`supportedSystems = [`
			`"x86_64-linux"`
			`"aarch64-linux"`
			`];`

			`ipv4Allowed =`
			`pipe [`
			`"127.0.0.1"`
			`"8.8.8.8"`
			`"64.225.104.221"`
			`"93.184.77.2"`
			`"67.207.67.3"`
			`"64.225.96.1"`
			`"5.5.5.5"`
			`"255.255.255.255"`
			`"2.9.0.1"`
			`"127.0.0.0"`
			`] [`
			`(concatStringsSep "\n")`
			`(pkgs.writeText "allowed_ipv4.txt")`
			`];`

			`ip-search = pkgs.writeShellScriptBin "ip-search" ''`
			`export PATH="${makeBinPath [pkgs.ripgrep]}:$PATH"`
			`_ipv4_regex='((25[0-5]\|(2[0-4]\|1\d\|[1-9]\|)\d)\.){3}(25[0-5]\|(2[0-4]\|1\d\|[1-9]\|)\d)'`
			`_ipv4_matches=()`

			`mapfile -t _ipv4_matches < <( rg "$_ipv4_regex" . -oNI \| sort \| uniq )`

			`_ipv6_regex='a'`
			`_ipv6_matches=()`

			`# TODO`

			`_ipv4_allowed=()`
			`mapfile -t _ipv4_allowed < ${ipv4Allowed}`

			`_ipv4_offending=()`
			`mapfile -t _ipv4_offending < <( diff -U 1 \`
			`<( echo ''${_ipv4_matches[@]} \| tr ' ' '\n' \| sort \| uniq -u ) \`
			`<( echo ''${_ipv4_allowed[@]} \| tr ' ' '\n' \| sort \| uniq -u ) \`
			`\| grep '^-' \`
			`\| cut -b 2- \`
			`\| tail +2 )`

			`for _offending in ''${_ipv4_offending[@]} ; do`
			`echo "found offending ipv4 address $_offending in file(s):"`

			`mapfile -t _files < <( rg -FoN "$_offending" . \| cut -f 1 -d : \| sort \| uniq )`
			`for _file in ''${_files[@]} ; do`
			`echo $' - '"$_file"`
			`done`
			`done`

			`echo "Found ''${#_ipv4_offending[@]} offending ipv4 addresses"`

			`exit 69`
			`'';`
			`in`
			`mkIf (elem system supportedSystems) (inputs.pre-commit-hooks.lib.${system}.run {`
			`imports = [`
			`./modules/ip-search.nix`
			`{`
			`_module.args = {`
			`inherit inputs;`
			`};`
			`}`
			`];`
			`src = ./../..;`
			`hooks = {`
			`alejandra.enable = true;`

			`## produces a lot of annoying lints, disable until specific lints can be disabled per file`
			`## https://github.com/oppiliappan/statix/issues/61`
			`# statix.enable = true;`

			`ip-search = {`
			`enable = true;`
			`};`
			`};`
			`})`