Add flake checks (formatter, linters, secret scanner) + CI

.github/workflows/check.yml

@@ -0,0 +1,17 @@
+name: check
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: nix flake check
+        run: nix flake check --accept-flake-config --print-build-logs

.github/workflows/update-flake-lock.yml

@@ -0,0 +1,18 @@
+name: update-flake-lock
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 4 * * 1' # Mondays 04:00 UTC
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/update-flake-lock@main
+        with:
+          pr-title: "flake.lock: weekly update"
+          pr-labels: dependencies
+          commit-msg: "flake.lock: weekly update"

.gitignore

@@ -5,3 +5,6 @@ tmp/
 
 
 /result
+
+# Generated by git-hooks.nix when entering `nix develop`
+/.pre-commit-config.yaml

.gitleaks.toml

@@ -0,0 +1,12 @@
+# gitleaks config — extends the default rules with project-specific allowlists
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Allowlist agenix-encrypted files and public SSH key lists"
+paths = [
+  '''secrets\.nix''',
+  '''secrets/.*\.age''',
+  '''machines/.*\.age''',
+  '''flake\.lock''',
+]

flake.nix

@@ -38,6 +38,14 @@
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    git-hooks = {
+      url = "github:cachix/git-hooks.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     doomemacs = {
       url = "github:doomemacs/doomemacs";
       flake = false;
@@ -69,7 +77,6 @@
     {
       self,
       nixpkgs,
-      nix-darwin,
       flake-utils,
       ...
     }@inputs:
@@ -84,7 +91,7 @@
         self.overlays.default
       ];
       lib = nixpkgs.lib.extend (
-        final: prev:
+        final: _prev:
         import ./lib {
           inherit inputs overlays;
           lib = final;
@@ -97,7 +104,6 @@
         inherit lib;
         inherit (inputs)
           doomemacs
-          home-manager
           nixpkgs
           wallpapers
           ;
@@ -114,65 +120,113 @@
         }
       );
 
-      # Deploy checks
-      checks = builtins.mapAttrs (
-        system: deployLib: deployLib.deployChecks self.deploy
-      ) inputs.deploy-rs.lib;
-
       # Non-NixOS machines (Fedora, WSL, ++)
       homeConfigurations = lib.myme.nixos2hm { inherit (self) nixosConfigurations; };
 
       # Installation mediums
       sdImages = builtins.mapAttrs (
-        name: config: config.config.system.build.sdImage
+        _name: config: config.config.system.build.sdImage
       ) self.nixosConfigurations;
     }
-    // flake-utils.lib.eachSystem [ "aarch64-linux" "x86_64-linux" ] (
-      system:
-      let
-        pkgs = import nixpkgs { inherit system overlays; };
-      in
-      {
-        # Apps for `nix run .#<app>`
-        apps = {
-          agenix = {
-            type = "app";
-            program = "${pkgs.agenix}/bin/agenix";
-          };
-          deploy = {
-            type = "app";
-            program = "${pkgs.deploy-rs.deploy-rs}/bin/deploy";
-          };
-        };
+    //
+      flake-utils.lib.eachSystem
+        [
+          "aarch64-linux"
+          "x86_64-linux"
+          "aarch64-darwin"
+        ]
+        (
+          system:
+          let
+            pkgs = import nixpkgs { inherit system overlays; };
+            isLinux = lib.hasSuffix "-linux" system;
+            treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
+            pre-commit-check = inputs.git-hooks.lib.${system}.run {
+              src = ./.;
+              default_stages = [ "pre-push" ];
+              hooks = {
+                treefmt = {
+                  enable = true;
+                  package = treefmtEval.config.build.wrapper;
+                };
+                statix.enable = true;
+                deadnix.enable = true;
+                gitleaks = {
+                  enable = true;
+                  name = "gitleaks";
+                  description = "Detect hardcoded secrets";
+                  entry = "${pkgs.gitleaks}/bin/gitleaks detect --no-banner --redact --no-git --source=.";
+                  language = "system";
+                  pass_filenames = false;
+                };
+              };
+            };
+          in
+          {
+            # `nix fmt`
+            formatter = treefmtEval.config.build.wrapper;
+
+            # `nix flake check`
+            checks = {
+              pre-commit = pre-commit-check;
+            }
+            // lib.optionalAttrs (inputs.deploy-rs.lib ? ${system}) (
+              # Only check deploy nodes that target the current system —
+              # cross-arch builds would require qemu emulation in CI.
+              inputs.deploy-rs.lib.${system}.deployChecks {
+                nodes = lib.filterAttrs (
+                  name: _: self.nixosConfigurations.${name}.pkgs.stdenv.hostPlatform.system == system
+                ) self.deploy.nodes;
+              }
+            );
 
-        # All packages under pkgs.myme.pkgs from the overlay
-        packages = pkgs.myme.pkgs;
+            # Apps for `nix run .#<app>` (Linux only)
+            apps = lib.optionalAttrs isLinux {
+              agenix = {
+                type = "app";
+                program = "${pkgs.agenix}/bin/agenix";
+              };
+              deploy = {
+                type = "app";
+                program = "${pkgs.deploy-rs.deploy-rs}/bin/deploy";
+              };
+            };
 
-        devShells = {
-          # Default dev shell (used by direnv)
-          default = pkgs.mkShell {
-            buildInputs = with pkgs; [
-              agenix
-              disko
-              pkgs.myme.pkgs.nixos-bootstrap
-            ];
-          };
+            # All packages under pkgs.myme.pkgs from the overlay (Linux only)
+            packages = lib.optionalAttrs isLinux pkgs.myme.pkgs;
 
-          # Deployment to other nodes
-          deploy = pkgs.mkShell { buildInputs = with pkgs; [ deploy-rs.deploy-rs ]; };
+            devShells = {
+              # Default dev shell (used by direnv) — installs the pre-push hook
+              default = pkgs.mkShell {
+                inherit (pre-commit-check) shellHook;
+                buildInputs =
+                  pre-commit-check.enabledPackages
+                  ++ lib.optionals isLinux (
+                    with pkgs;
+                    [
+                      agenix
+                      disko
+                      myme.pkgs.nixos-bootstrap
+                    ]
+                  );
+              };
+            }
+            // lib.optionalAttrs isLinux {
+              # Deployment to other nodes
+              deploy = pkgs.mkShell { buildInputs = with pkgs; [ deploy-rs.deploy-rs ]; };
 
-          # For hacking on XMonad
-          xmonad = pkgs.mkShell {
-            buildInputs = with pkgs; [
-              (ghc.withPackages (
-                ps: with ps; [
-                  xmonad
-                  xmonad-contrib
-                ]
-              ))
-            ];
-          };
-        };
-      }
-    );
+              # For hacking on XMonad
+              xmonad = pkgs.mkShell {
+                buildInputs = with pkgs; [
+                  (ghc.withPackages (
+                    ps: with ps; [
+                      xmonad
+                      xmonad-contrib
+                    ]
+                  ))
+                ];
+              };
+            };
+          }
+        );
 }

home-manager/btop.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   programs.btop = {
     enable = lib.mkDefault config.myme.defaultPrograms;