{ inputs, system, lib, pkgs, ... }: let inherit (lib) mkIf elem getExe pipe concatStringsSep makeBinPath ; supportedSystems = [ "x86_64-linux" "aarch64-linux" ]; ipv4Allowed = pipe [ "127.0.0.1" "8.8.8.8" "64.225.104.221" "93.184.77.2" "67.207.67.3" "64.225.96.1" "5.5.5.5" "255.255.255.255" "2.9.0.1" "127.0.0.0" ] [ (concatStringsSep "\n") (pkgs.writeText "allowed_ipv4.txt") ]; ip-search = pkgs.writeShellScriptBin "ip-search" '' export PATH="${makeBinPath [pkgs.ripgrep]}:$PATH" _ipv4_regex='((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)' _ipv4_matches=() mapfile -t _ipv4_matches < <( rg "$_ipv4_regex" . -oNI | sort | uniq ) _ipv6_regex='a' _ipv6_matches=() # TODO _ipv4_allowed=() mapfile -t _ipv4_allowed < ${ipv4Allowed} _ipv4_offending=() mapfile -t _ipv4_offending < <( diff -U 1 \ <( echo ''${_ipv4_matches[@]} | tr ' ' '\n' | sort | uniq -u ) \ <( echo ''${_ipv4_allowed[@]} | tr ' ' '\n' | sort | uniq -u ) \ | grep '^-' \ | cut -b 2- \ | tail +2 ) for _offending in ''${_ipv4_offending[@]} ; do echo "found offending ipv4 address $_offending in file(s):" mapfile -t _files < <( rg -FoN "$_offending" . | cut -f 1 -d : | sort | uniq ) for _file in ''${_files[@]} ; do echo $' - '"$_file" done done echo "Found ''${#_ipv4_offending[@]} offending ipv4 addresses" exit 69 ''; in mkIf (elem system supportedSystems) (inputs.pre-commit-hooks.lib.${system}.run { imports = [ ./modules/ip-search.nix { _module.args = { inherit inputs; }; } ]; src = ./../..; hooks = { alejandra.enable = true; ## produces a lot of annoying lints, disable until specific lints can be disabled per file ## https://github.com/oppiliappan/statix/issues/61 # statix.enable = true; ip-search = { enable = true; }; }; })