-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmise.toml
More file actions
123 lines (104 loc) · 2.55 KB
/
mise.toml
File metadata and controls
123 lines (104 loc) · 2.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
[tools]
python = "3.13"
[tasks.check]
description = "Alias for flake check"
depends = ["flake-check"]
run = "echo 'check complete'"
[tasks.fmt]
description = "Format Nix files"
run = '''
set -eu
nix fmt
'''
[tasks.fmt-check]
description = "Check Nix formatting"
run = '''
set -eu
nix fmt -- --check .
'''
[tasks.flake-check]
description = "Run flake checks without building heavy outputs"
run = '''
set -eu
nix flake check --no-build
'''
[tasks.build-dryrun]
description = "Dry-run build for canonical host configs"
run = '''
set -eu
nix build .#nixosConfigurations.bit.config.system.build.toplevel --dry-run
'''
[tasks.ci-validate]
description = "CI validation pipeline"
depends = ["fmt-check", "flake-check", "build-dryrun"]
run = "echo 'validation complete'"
[tasks.ci-security]
description = "CI security checks"
run = '''
set -eu
python3 -m pip install --quiet detect-secrets
python3 -m detect_secrets scan --baseline .secrets.baseline
python3 -m detect_secrets.pre_commit_hook --baseline .secrets.baseline $(git ls-files)
if grep -rE "(password|secret|token|api_key|private_key)\\s*=\\s*['\\\"]\\S+" . --include="*.nix" | grep -v ".github"; then
echo "Error: Found potential hardcoded secrets. Use sops-nix for secrets!"
exit 1
fi
if find . -type f -exec grep -lE -- "-----BEGIN [A-Z ]*PRIVATE KEY-----" {} \; | grep -v ".secrets.baseline"; then
echo "Error: Found private keys in repository!"
exit 1
fi
'''
[tasks.update]
description = "Update flake inputs"
run = '''
set -eu
./scripts/mise/update.sh
'''
[tasks.deploy]
description = "Deploy to host (set HOST=<name>)"
run = '''
set -eu
./scripts/mise/deploy.sh
'''
[tasks.deploy-all]
description = "Deploy to standard host set"
run = '''
set -eu
./scripts/mise/deploy-all.sh
'''
[tasks.pull-deploy]
description = "git pull then deploy (set HOST=<name>)"
run = '''
set -eu
./scripts/mise/pull-deploy.sh
'''
[tasks.sync-remote]
description = "Sync changed files from remote host (set HOST=<name>)"
run = '''
set -eu
./scripts/mise/sync-remote.sh
'''
[tasks.remote-push]
description = "Commit/push from remote host via agent forwarding (HOST, optional BRANCH)"
run = '''
set -eu
./scripts/mise/remote-push.sh
'''
[tasks.secrets]
description = "Edit encrypted secrets (optional FILE=secrets/...yaml)"
run = '''
set -eu
./scripts/mise/secrets-edit.sh
'''
[tasks.secrets-view]
description = "View decrypted secrets (optional FILE=secrets/...yaml)"
run = '''
set -eu
./scripts/mise/secrets-view.sh
'''
[tasks.secrets-update]
description = "Run sops updatekeys on secrets/*.yaml"
run = '''
set -eu
./scripts/mise/secrets-update.sh
'''