magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve git-hooks infrastructure, add ip hook

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-07-13 20:53:54 +02:00
parent 87400566be
commit 3c40bda301
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
6 changed files with 239 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
checks/default.nix Normal file
View file

@ -0,0 +1,46 @@
{
inputs,
lib,
...
}: let
inherit
(lib)
pipe
mapAttrs'
mapAttrs
filterAttrs
callPackageWith
hasSuffix
removeSuffix
nameValuePair
;
in {
perSystem = {
system,
pkgs,
...
}: let
importDefault = path:
import path {
inherit
lib
inputs
system
pkgs
;
};
in {
checks = pipe (builtins.readDir ./.) [
(filterAttrs (n: _: n != "default.nix"))
(mapAttrs' (n: v: let
newName =
if hasSuffix ".nix" n
then removeSuffix ".nix" n
else n;
in
nameValuePair newName v))
(mapAttrs (n: _: (importDefault (toString ./. + "/" + n))))
(filterAttrs (_: v: v ? "_type" -> v._type == "if" -> v.condition))
];
};
}

97
checks/pre-commit/default.nix Normal file
View file

@ -0,0 +1,97 @@
{
inputs,
system,
lib,
pkgs,
...
}: let
inherit
(lib)
mkIf
elem
getExe
pipe
concatStringsSep
makeBinPath
;
supportedSystems = [
"x86_64-linux"
"aarch64-linux"
];
ipv4Allowed =
pipe [
"127.0.0.1"
"8.8.8.8"
"64.225.104.221"
"93.184.77.2"
"67.207.67.3"
"64.225.96.1"
"5.5.5.5"
"255.255.255.255"
"2.9.0.1"
"127.0.0.0"
] [
(concatStringsSep "\n")
(pkgs.writeText "allowed_ipv4.txt")
];
ip-search = pkgs.writeShellScriptBin "ip-search" ''
export PATH="${makeBinPath [pkgs.ripgrep]}:$PATH"
_ipv4_regex='((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)'
_ipv4_matches=()
mapfile -t _ipv4_matches < <( rg "$_ipv4_regex" . -oNI | sort | uniq )
_ipv6_regex='a'
_ipv6_matches=()
# TODO
_ipv4_allowed=()
mapfile -t _ipv4_allowed < ${ipv4Allowed}
_ipv4_offending=()
mapfile -t _ipv4_offending < <( diff -U 1 \
<( echo ''${_ipv4_matches[@]} | tr ' ' '\n' | sort | uniq -u ) \
<( echo ''${_ipv4_allowed[@]} | tr ' ' '\n' | sort | uniq -u ) \
| grep '^-' \
| cut -b 2- \
| tail +2 )
for _offending in ''${_ipv4_offending[@]} ; do
echo "found offending ipv4 address $_offending in file(s):"
mapfile -t _files < <( rg -FoN "$_offending" . | cut -f 1 -d : | sort | uniq )
for _file in ''${_files[@]} ; do
echo $' - '"$_file"
done
done
echo "Found ''${#_ipv4_offending[@]} offending ipv4 addresses"
exit 69
'';
in
mkIf (elem system supportedSystems) (inputs.pre-commit-hooks.lib.${system}.run {
imports = [
./modules/ip-search.nix
{
_module.args = {
inherit inputs;
};
}
];
src = ./../..;
hooks = {
alejandra.enable = true;
## produces a lot of annoying lints, disable until specific lints can be disabled per file
## https://github.com/oppiliappan/statix/issues/61
# statix.enable = true;
ip-search = {
enable = true;
};
};
})

43
checks/pre-commit/modules/ip-search.nix Normal file
View file

@ -0,0 +1,43 @@
{
lib,
config,
inputs,
pkgs,
...
}: let
inherit
(lib)
mkIf
mkOption
types
pipe
concatStringsSep
getExe
;
cfg = config.hooks.ip-search;
in {
options.hooks.ip-search = {
permittedIpv4Addresses = mkOption {
type = with types; listOf str;
default = [];
description = ''
List of permitted IPv4 addresses that the linter will allow.
'';
};
};
config.hooks.ip-search = mkIf cfg.enable {
name = "IP search";
entry = let
permittedIpv4File = pipe cfg.permittedIpv4Addresses [
(concatStringsSep "\n")
(pkgs.writeText "allowed_ipv4.txt")
];
in "${getExe cfg.package} ${permittedIpv4File} .";
pass_filenames = false;
files = "";
package = inputs.self.packages.${pkgs.stdenv.system}.ip-search;
};
}

2
dev-shells/default.nix
View file

@ -59,7 +59,7 @@ in {
in
pkgs.mkShell {
shellHook = ''
${self.checks.${system}.pre-commit-check.shellHook}
${self.checks.${system}.pre-commit.shellHook}
'';
nativeBuildInputs = with pkgs;

9
flake.nix
View file

@ -159,6 +159,8 @@
dev-shells/default.nix
./checks
inputs.uterranix.flakeModule
inputs.uk3s-nix.flakeModules.helmCharts
];
@ -292,13 +294,6 @@
helmCharts.main = {
};
checks.pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
alejandra.enable = true;
};
};
packages = let
inherit
(lib')

50
overlays/ip-search/default.nix Normal file
View file

@ -0,0 +1,50 @@
{lib, ...}: let
inherit
(lib)
makeBinPath
;
in {
flake.overlays.ip-search = final: prev: {
ip-search = prev.writeShellScriptBin "ip-search" ''
if [ $# -lt 2 ] ; then
echo "usage: ip-search <allowed ips file> <directory>"
exit 1
fi
export PATH="${makeBinPath [prev.ripgrep]}:$PATH"
_ipv4_regex='((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)'
_ipv4_matches=()
mapfile -t _ipv4_matches < <( rg "$_ipv4_regex" $2 -oNI | sort | uniq )
_ipv6_regex='a'
_ipv6_matches=()
# TODO
_ipv4_allowed=()
mapfile -t _ipv4_allowed <$1
_ipv4_offending=()
mapfile -t _ipv4_offending < <( diff -U 1 \
<( echo ''${_ipv4_matches[@]} | tr ' ' '\n' | sort | uniq -u ) \
<( echo ''${_ipv4_allowed[@]} | tr ' ' '\n' | sort | uniq -u ) \
| grep '^-' \
| cut -b 2- \
| tail +2 )
for _offending in ''${_ipv4_offending[@]} ; do
echo "found offending ipv4 address $_offending in file(s):"
mapfile -t _files < <( rg -FoN "$_offending" $2 | cut -f 1 -d : | sort | uniq )
for _file in ''${_files[@]} ; do
echo $' - '"$_file"
done
done
echo "Found ''${#_ipv4_offending[@]} offending ipv4 addresses"
exit 69
'';
};
}