contrib: format with Alejandra

.github/workflows/ci.yaml

@@ -4,20 +4,22 @@ on:
   push:
 jobs:
   tests-linux:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2.3.4
-    - uses: cachix/install-nix-action@v15
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v18
       with:
         extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
     - run: nix build
+    - run: nix fmt . -- --check
     - run: nix flake check
   tests-darwin:
     runs-on: macos-11
     steps:
-    - uses: actions/checkout@v2.3.4
-    - uses: cachix/install-nix-action@v15
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v18
       with:
         extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
     - run: nix build
+    - run: nix fmt . -- --check
     - run: nix flake check

README.md

@@ -25,6 +25,7 @@
   * [agenix CLI reference](#agenix-cli-reference)
 * [Community and Support](#community-and-support)
 * [Threat model/Warnings](#threat-modelwarnings)
+* [Contributing](#contributing)
 * [Acknowledgements](#acknowledgements)
 
 ## Problem and solution
@@ -536,6 +537,19 @@ authentication code (MAC) like other implementations like GPG or
 [sops](https://github.com/Mic92/sops-nix) have, however this was left
 out for simplicity in `age`.
 
+## Contributing
+
+* The main branch is protected against direct pushes
+* All changes must go through GitHub PR review and get at least one approval
+* PR titles and commit messages should be prefixed with at least one of these categories:
+  * contrib - things that make the project development better
+  * doc - documentation
+  * feature - new features
+  * fix - bug fixes
+* Please update or make integration tests for new features
+* Use `nix fmt` to format nix code
+
+
 ## Acknowledgements
 
 This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice.

default.nix

@@ -1,4 +1,3 @@
-{ pkgs ? import <nixpkgs> {} }:
-{
-  agenix = pkgs.callPackage ./pkgs/agenix.nix  {};
+{pkgs ? import <nixpkgs> {}}: {
+  agenix = pkgs.callPackage ./pkgs/agenix.nix {};
 }

example/secrets.nix

@@ -1,9 +1,8 @@
 let
   user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
   system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
-in
-{
-  "secret1.age".publicKeys = [ user1 system1 ];
-  "secret2.age".publicKeys = [ user1 ];
-  "passwordfile-user1.age".publicKeys = [ user1 system1 ];
+in {
+  "secret1.age".publicKeys = [user1 system1];
+  "secret2.age".publicKeys = [user1];
+  "passwordfile-user1.age".publicKeys = [user1 system1];
 }

flake.nix

@@ -14,18 +14,23 @@
 
     overlays.default = import ./overlay.nix;
 
-    packages.aarch64-linux.agenix = agenix "aarch64-linux";
-    packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
-
-    packages.i686-linux.agenix = agenix "i686-linux";
-    packages.i686-linux.default = self.packages.i686-linux.agenix;
-
+    formatter.x86_64-darwin = nixpkgs.legacyPackages.x86_64-darwin.alejandra;
     packages.x86_64-darwin.agenix = agenix "x86_64-darwin";
     packages.x86_64-darwin.default = self.packages.x86_64-darwin.agenix;
 
+    formatter.aarch64-darwin = nixpkgs.legacyPackages.aarch64-darwin.alejandra;
     packages.aarch64-darwin.agenix = agenix "aarch64-darwin";
     packages.aarch64-darwin.default = self.packages.aarch64-darwin.agenix;
 
+    formatter.aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.alejandra;
+    packages.aarch64-linux.agenix = agenix "aarch64-linux";
+    packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
+
+    formatter.i686-linux = nixpkgs.legacyPackages.i686-linux.alejandra;
+    packages.i686-linux.agenix = agenix "i686-linux";
+    packages.i686-linux.default = self.packages.i686-linux.agenix;
+
+    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
     packages.x86_64-linux.agenix = agenix "x86_64-linux";
     packages.x86_64-linux.default = self.packages.x86_64-linux.agenix;
     checks.x86_64-linux.integration = import ./test/integration.nix {

modules/age.nix

@@ -1,14 +1,17 @@
-{ config, options, lib, pkgs, ... }:
-
-with lib;
-
-let
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
   cfg = config.age;
 
   # we need at least rage 0.5.0 to support ssh keys
   rage =
     if lib.versionOlder pkgs.rage.version "0.5.0"
-    then pkgs.callPackage ../pkgs/rage.nix { }
+    then pkgs.callPackage ../pkgs/rage.nix {}
     else pkgs.rage;
   ageBin = config.age.ageBin;
 
@@ -28,11 +31,15 @@ let
   identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);
 
   setTruePath = secretType: ''
-    ${if secretType.symlink then ''
-      _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
-    '' else ''
-      _truePath="${secretType.path}"
-    ''}
+    ${
+      if secretType.symlink
+      then ''
+        _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+      ''
+      else ''
+        _truePath="${secretType.path}"
+      ''
+    }
   '';
 
   installSecret = secretType: ''
@@ -55,9 +62,11 @@ let
     ''}
   '';
 
-  testIdentities = map (path: ''
-    test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
-  '') cfg.identityPaths;
+  testIdentities =
+    map (path: ''
+      test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
+    '')
+    cfg.identityPaths;
 
   cleanupAndLink = ''
     _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
@@ -72,10 +81,10 @@ let
   '';
 
   installSecrets = builtins.concatStringsSep "\n" (
-    [ "echo '[agenix] decrypting secrets...'" ]
+    ["echo '[agenix] decrypting secrets...'"]
     ++ testIdentities
     ++ (map installSecret (builtins.attrValues cfg.secrets))
-    ++ [ cleanupAndLink ]
+    ++ [cleanupAndLink]
   );
 
   chownSecret = secretType: ''
@@ -90,11 +99,12 @@ let
   '';
 
   chownSecrets = builtins.concatStringsSep "\n" (
-    [ "echo '[agenix] chowning...'" ]
-    ++ [ chownMountPoint ]
-    ++ (map chownSecret (builtins.attrValues cfg.secrets)));
+    ["echo '[agenix] chowning...'"]
+    ++ [chownMountPoint]
+    ++ (map chownSecret (builtins.attrValues cfg.secrets))
+  );
 
-  secretType = types.submodule ({ config, ... }: {
+  secretType = types.submodule ({config, ...}: {
     options = {
       name = mkOption {
         type = types.str;
@@ -137,14 +147,12 @@ let
           Group of the decrypted secret.
         '';
       };
-      symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
+      symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
     };
   });
-in
-{
-
+in {
   imports = [
-    (mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
+    (mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
   ];
 
   options.age = {
@@ -157,7 +165,7 @@ in
     };
     secrets = mkOption {
       type = types.attrsOf secretType;
-      default = { };
+      default = {};
       description = ''
         Attrset of secrets.
       '';
@@ -170,11 +178,13 @@ in
       '';
     };
     secretsMountPoint = mkOption {
-      type = types.addCheck types.str
+      type =
+        types.addCheck types.str
         (s:
-          (builtins.match "[ \t\n]*" s) == null # non-empty
-            && (builtins.match ".+/" s) == null) # without trailing slash
-      // { description = "${types.str.description} (with check: non-empty without trailing slash)"; };
+          (builtins.match "[ \t\n]*" s)
+          == null # non-empty
+          && (builtins.match ".+/" s) == null) # without trailing slash
+        // {description = "${types.str.description} (with check: non-empty without trailing slash)";};
       default = "/run/agenix.d";
       defaultText = "/run/agenix.d";
       description = ''
@@ -184,20 +194,22 @@ in
     identityPaths = mkOption {
       type = types.listOf types.path;
       default =
-        if config.services.openssh.enable then
-          map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
-        else [ ];
+        if config.services.openssh.enable
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
+        else [];
       description = ''
         Path to SSH keys to be used as identities in age decryption.
       '';
     };
   };
 
-  config = mkIf (cfg.secrets != { }) {
-    assertions = [{
-      assertion = cfg.identityPaths != [ ];
-      message = "age.identityPaths must be set.";
-    }];
+  config = mkIf (cfg.secrets != {}) {
+    assertions = [
+      {
+        assertion = cfg.identityPaths != [];
+        message = "age.identityPaths must be set.";
+      }
+    ];
 
     # Create a new directory full of secrets for symlinking (this helps
     # ensure removed secrets are actually removed, or at least become
@@ -218,7 +230,7 @@ in
     };
 
     # So user passwords can be encrypted.
-    system.activationScripts.users.deps = [ "agenixInstall" ];
+    system.activationScripts.users.deps = ["agenixInstall"];
 
     # Change ownership and group after users and groups are made.
     system.activationScripts.agenixChown = {
@@ -232,8 +244,7 @@ in
     # So other activation scripts can depend on agenix being done.
     system.activationScripts.agenix = {
       text = "";
-      deps = [ "agenixChown"];
+      deps = ["agenixChown"];
     };
   };
-
 }

overlay.nix

@@ -1,4 +1,3 @@
-final: prev:
-{
-  agenix = prev.callPackage ./pkgs/agenix.nix { };
+final: prev: {
+  agenix = prev.callPackage ./pkgs/agenix.nix {};
 }