feat(shell): Add pre-commit hooks and reformat the repo

machines/web01/_hardware-configuration.nix

@@ -6,7 +6,12 @@
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
-    (let sources = import ../../npins; in sources.disko + "/module.nix")
+    (
+      let
+        sources = import ../../npins;
+      in
+      sources.disko + "/module.nix"
+    )
     ./disko.nix
   ];
 }

machines/web01/castopod-head-proxy.nix

@@ -3,31 +3,31 @@ let
   cfg = config.services.castopod;
   fpm = config.services.phpfpm.pools.castopod;
 in
-  {
+{
   services.nginx = {
-      resolver.addresses = [ "127.0.0.53" ];
-      virtualHosts."${cfg.localDomain}" = {
+    resolver.addresses = [ "127.0.0.53" ];
+    virtualHosts."${cfg.localDomain}" = {
 
-        locations."@force_get" = {
-          extraConfig = lib.mkForce ''
-            recursive_error_pages on;
-            proxy_method GET;
-            proxy_pass https://podcasts.dgnum.eu/$request_uri;
-          '';
-        };
+      locations."@force_get" = {
+        extraConfig = lib.mkForce ''
+          recursive_error_pages on;
+          proxy_method GET;
+          proxy_pass https://podcasts.dgnum.eu/$request_uri;
+        '';
+      };
 
-        locations."~ \.php$" = {
-          extraConfig = lib.mkForce ''
-            error_page 550 = @force_get;
-            if ($request_method = HEAD) { return 550; }
-            fastcgi_intercept_errors on;
-            fastcgi_index index.php;
-            fastcgi_pass unix:${fpm.socket};
-            try_files $uri =404;
-            fastcgi_read_timeout 3600;
-            fastcgi_send_timeout 3600;
-          '';
-        };
+      locations."~ .php$" = {
+        extraConfig = lib.mkForce ''
+          error_page 550 = @force_get;
+          if ($request_method = HEAD) { return 550; }
+          fastcgi_intercept_errors on;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${fpm.socket};
+          try_files $uri =404;
+          fastcgi_read_timeout 3600;
+          fastcgi_send_timeout 3600;
+        '';
       };
     };
-  }
+  };
+}

machines/web01/castopod.nix

@@ -1,38 +1,41 @@
-{ config, pkgs, ...}:
+{ config, pkgs, ... }:
 let
   host = "podcasts.dgnum.eu";
 in
 {
-  imports = [
-    ./castopod-head-proxy.nix
-  ];
-  services.castopod = {
-    enable = true;
-    localDomain = host;
-    environmentFile = config.age.secrets.castopod-environment_file.path;
-    maxUploadSize = 512;
-    settings = {
-      "email.fromEmail"="noreply@infra.dgnum.eu";
-      "email.SMTPHost"="kurisu.lahfa.xyz";
-      "email.SMTPUser"="web-services@infra.dgnum.eu";
-      "email.SMTPPort"="587";
+  imports = [ ./castopod-head-proxy.nix ];
 
-      "media.fileManager"="s3";
-      "media.s3.endpoint"="https://s3.dgnum.eu/";
-      "media.s3.region"="garage";
-      "media.s3.bucket"="castopod-dgnum";
-      "media.s3.pathStyleEndpoint"=true;
+  services = {
+    castopod = {
+      enable = true;
+      localDomain = host;
+      environmentFile = config.age.secrets.castopod-environment_file.path;
+      maxUploadSize = 512;
+      settings = {
+        "email.fromEmail" = "noreply@infra.dgnum.eu";
+        "email.SMTPHost" = "kurisu.lahfa.xyz";
+        "email.SMTPUser" = "web-services@infra.dgnum.eu";
+        "email.SMTPPort" = "587";
 
-      "restapi.enabled"=true;
-      "restapi.basicAuthUsername"="castopod";
-      "restapi.basicAuth"=true;
+        "media.fileManager" = "s3";
+        "media.s3.endpoint" = "https://s3.dgnum.eu/";
+        "media.s3.region" = "garage";
+        "media.s3.bucket" = "castopod-dgnum";
+        "media.s3.pathStyleEndpoint" = true;
+
+        "restapi.enabled" = true;
+        "restapi.basicAuthUsername" = "castopod";
+        "restapi.basicAuth" = true;
+      };
+      database.createLocally = true;
+      configureNginx = true;
+    };
+
+    mysql.package = pkgs.mariadb;
+
+    nginx.virtualHosts.${host} = {
+      forceSSL = true;
+      enableACME = true;
     };
-    database.createLocally = true;
-    configureNginx = true;
-  };
-  services.mysql.package = pkgs.mariadb;
-  services.nginx.virtualHosts.${host} = {
-    forceSSL = true;
-    enableACME = true;
   };
 }

machines/web01/disko.nix

@@ -56,7 +56,10 @@ in
                       mountpoint = "/var/log";
                     };
                     "/nix" = {
-                      mountOptions = [ "noatime" "compress=zstd" ];
+                      mountOptions = [
+                        "noatime"
+                        "compress=zstd"
+                      ];
                       mountpoint = "/nix";
                     };
                   };

machines/web01/dolibarr.nix

@@ -1,5 +1,4 @@
-{ ... }:
-{
+_: {
   services.dolibarr = {
     enable = true;
     domain = "erp.dgnum.eu";

machines/web01/linkal/default.nix

@@ -1,4 +1,9 @@
-{ sources, pkgs, lib, ... }:
+{
+  sources,
+  pkgs,
+  lib,
+  ...
+}:
 
 let
   host = "cal.dgnum.eu";
@@ -26,7 +31,8 @@ let
       calendars = metis2linkal sources.metis;
     };
   };
-in {
+in
+{
   imports = [ ./module.nix ];
 
   dgn-linkal = {

machines/web01/linkal/metis-to-linkal.nix

@@ -7,18 +7,10 @@ let
   inherit (import source { inherit pkgs; }) providers;
 
   # helper function to map 2-level deep attribute-sets
-  mapDeepAttrs = mapFct:
-    lib.concatMapAttrs (name: value:
-      lib.mapAttrs' (name': value':
-        mapFct name name' value'
-      ) value
-    );
-
-
-  toLinkal = upstream: identifier:
-    lib.nameValuePair
-    "${providers.${upstream}}${identifier}"
-    ;
+  mapDeepAttrs =
+    mapFct:
+    lib.concatMapAttrs (name: value: lib.mapAttrs' (name': value': mapFct name name' value') value);
 
+  toLinkal = upstream: identifier: lib.nameValuePair "${providers.${upstream}}${identifier}";
 in
-  mapDeepAttrs toLinkal calendars
+mapDeepAttrs toLinkal calendars

machines/web01/linkal/module.nix

@@ -1,14 +1,28 @@
-{ config, lib, pkgs, sources, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  sources,
+  ...
+}:
 
 let
-  inherit (lib) mapAttrs' mkEnableOption mkIf mkOption nameValuePair types;
+  inherit (lib)
+    mapAttrs'
+    mkEnableOption
+    mkIf
+    mkOption
+    nameValuePair
+    types
+    ;
 
   package = import sources.linkal { inherit pkgs; };
 
   cfg = config.dgn-linkal;
 
   jsonFormat = pkgs.formats.json { };
-in {
+in
+{
   options.dgn-linkal = {
     enable = mkEnableOption "the linkal server.";
 
@@ -20,32 +34,40 @@ in {
     domain = mkOption { type = types.str; };
 
     calendarGroups = mkOption {
-      type = let inherit (types) attrsOf port submodule;
-      in attrsOf (submodule {
-        options = {
-          port = mkOption { type = port; };
-          calendars = mkOption { inherit (jsonFormat) type; };
-        };
-      });
+      type =
+        let
+          inherit (types) attrsOf port submodule;
+        in
+        attrsOf (
+          submodule {
+            options = {
+              port = mkOption { type = port; };
+              calendars = mkOption { inherit (jsonFormat) type; };
+            };
+          }
+        );
       default = { };
     };
   };
 
   config = mkIf cfg.enable {
-    systemd.services = mapAttrs' (name:
-      { port, calendars }:
-      nameValuePair "linkal-${name}" {
-        description = "Linkal - ${name}";
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          Type = "simple";
-          ExecStart = "${cfg.package}/bin/linkal --port ${
-              builtins.toString port
-            } --calendar-file ${
-              jsonFormat.generate "linkal-${name}.json" { inherit calendars; }
-            }";
-        };
-      }) cfg.calendarGroups;
+    systemd.services =
+      mapAttrs'
+        (
+          name:
+          { port, calendars }:
+          nameValuePair "linkal-${name}" {
+            description = "Linkal - ${name}";
+            wantedBy = [ "multi-user.target" ];
+            serviceConfig = {
+              Type = "simple";
+              ExecStart = "${cfg.package}/bin/linkal --port ${builtins.toString port} --calendar-file ${
+                jsonFormat.generate "linkal-${name}.json" { inherit calendars; }
+              }";
+            };
+          }
+        )
+        cfg.calendarGroups;
 
     # Configure bind for DNS certificate validation on *.cal.dgnum.eu.
     # services.bind = {
@@ -85,16 +107,20 @@ in {
     services.nginx = {
       enable = true;
 
-      virtualHosts = mapAttrs' (name:
-        { port, ... }:
-        nameValuePair "${name}.${cfg.domain}" {
-          enableACME = true;
-          # acmeRoot = null; # Use DNS-01 validation
-          forceSSL = true;
+      virtualHosts =
+        mapAttrs'
+          (
+            name:
+            { port, ... }:
+            nameValuePair "${name}.${cfg.domain}" {
+              enableACME = true;
+              # acmeRoot = null; # Use DNS-01 validation
+              forceSSL = true;
 
-          locations."/".proxyPass =
-            "http://127.0.0.1:${builtins.toString port}/";
-        }) cfg.calendarGroups;
+              locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
+            }
+          )
+          cfg.calendarGroups;
     };
   };
 }

machines/web01/matterbridge.nix

@@ -6,5 +6,7 @@
     configPath = config.age.secrets."matterbridge-config_file".path;
   };
 
-  age-secrets.matches."^matterbridge-.*$" = { owner = "matterbridge"; };
+  age-secrets.matches."^matterbridge-.*$" = {
+    owner = "matterbridge";
+  };
 }

machines/web01/metis/default.nix

@@ -1,24 +1,35 @@
-{ lib, pkgs, sources, ... }:
+{
+  lib,
+  pkgs,
+  sources,
+  ...
+}:
 
 let
   metis = import sources.metis { inherit pkgs; };
 
   inherit (metis) providers;
-in {
+in
+{
   services.nginx.virtualHosts."calendrier.dgnum.eu" = {
     enableACME = true;
     forceSSL = true;
     root = metis.production;
 
-    locations = lib.mapAttrs' (name: value:
-      lib.nameValuePair "/cal/${name}/" {
-        extraConfig = ''
-          proxy_set_header X-Forwarded-Host $host;
-          proxy_set_header X-Forwarded-Server $host;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_pass ${value};
-        '';
-      }) providers;
+    locations =
+      lib.mapAttrs'
+        (
+          name: value:
+          lib.nameValuePair "/cal/${name}/" {
+            extraConfig = ''
+              proxy_set_header X-Forwarded-Host $host;
+              proxy_set_header X-Forwarded-Server $host;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_pass ${value};
+            '';
+          }
+        )
+        providers;
 
     extraConfig = ''
       rewrite ^/calendrier(.*)$ $1 permanent;

machines/web01/ntfy-sh.nix

@@ -1,8 +1,9 @@
 { config, ... }:
 
-let host = "push.dgnum.eu";
-
-in {
+let
+  host = "push.dgnum.eu";
+in
+{
   services.ntfy-sh = {
     enable = true;
 
@@ -26,6 +27,7 @@ in {
     };
   };
 
-  systemd.services.ntfy-sh.serviceConfig.EnvironmentFile =
-    [ config.age.secrets."ntfy_sh-environment_file".path ];
+  systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [
+    config.age.secrets."ntfy_sh-environment_file".path
+  ];
 }

machines/web01/redirections.nix

@@ -3,15 +3,19 @@ _:
 let
   retired_host = "retired.dgnum.eu";
 
-  mkRetired = hosts:
-    builtins.listToAttrs (builtins.map (name: {
-      inherit name;
-      value.to = retired_host;
-    }) hosts);
+  mkRetired =
+    hosts:
+    builtins.listToAttrs (
+      builtins.map
+        (name: {
+          inherit name;
+          value.to = retired_host;
+        })
+        hosts
+    );
 
   mkSub = domain: builtins.map (s: "${s}.${domain}");
-  mkSubs = attrs:
-    builtins.concatLists (builtins.attrValues (builtins.mapAttrs mkSub attrs));
+  mkSubs = attrs: builtins.concatLists (builtins.attrValues (builtins.mapAttrs mkSub attrs));
 
   redirections = {
     "calendrier.eleves.ens.fr".to = "calendrier.dgnum.eu";
@@ -23,9 +27,15 @@ let
   } // (mkRetired retired);
 
   retired = mkSubs {
-    "ens.fr" = [ "alevins" "www.climatenavigator" ];
+    "ens.fr" = [
+      "alevins"
+      "www.climatenavigator"
+    ];
     "ens.wtf" = [ "photos" ];
-    "rz.ens.wtf" = [ "s3" "cdn" ];
+    "rz.ens.wtf" = [
+      "s3"
+      "cdn"
+    ];
     "beta.rz.ens.wtf" = [
       "todo"
       "minecraft"
@@ -39,14 +49,25 @@ let
       "rstudio"
     ];
   };
-
-in {
-  services.nginx.virtualHosts = {
-    ${retired_host}.default = true;
-  } // (builtins.mapAttrs (host:
-    { to, ssl ? true }: {
-      globalRedirect = to;
-      enableACME = ssl;
-      forceSSL = ssl;
-    }) redirections);
+in
+{
+  services.nginx.virtualHosts =
+    {
+      ${retired_host}.default = true;
+    }
+    // (builtins.mapAttrs
+      (
+        _:
+        {
+          to,
+          ssl ? true,
+        }:
+        {
+          globalRedirect = to;
+          enableACME = ssl;
+          forceSSL = ssl;
+        }
+      )
+      redirections
+    );
 }

machines/web01/secrets/secrets.nix

@@ -1,7 +1,8 @@
 let
   lib = import ../../../lib { };
   publicKeys = lib.getNodeKeys "web01";
-in lib.setDefault { inherit publicKeys; } [
+in
+lib.setDefault { inherit publicKeys; } [
   "acme-certs_secret"
   "matterbridge-config_file"
   "named-bind_dnskeys_conf"

machines/web01/static/npins/default.nix

@@ -1,20 +1,34 @@
 # Generated by npins. Do not modify; will be overwritten regularly
 let
   data = builtins.fromJSON (builtins.readFile ./sources.json);
-  version = data.version;
+  inherit (data) version;
 
-  mkSource = spec:
-    assert spec ? type; let
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
       path =
-        if spec.type == "Git" then mkGitSource spec
-        else if spec.type == "GitRelease" then mkGitSource spec
-        else if spec.type == "PyPi" then mkPyPiSource spec
-        else if spec.type == "Channel" then mkChannelSource spec
-        else builtins.throw "Unknown source type ${spec.type}";
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
     in
     spec // { outPath = path; };
 
-  mkGitSource = { repository, revision, url ? null, hash, ... }:
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      ...
+    }:
     assert repository ? type;
     # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
     # In the latter case, there we will always be an url to the tarball
@@ -23,19 +37,23 @@ let
         inherit url;
         sha256 = hash; # FIXME: check nix version & use SRI hashes
       })
-    else assert repository.type == "Git"; builtins.fetchGit {
-      url = repository.url;
-      rev = revision;
-      # hash = hash;
-    };
+    else
+      assert repository.type == "Git";
+      builtins.fetchGit {
+        inherit (repository) url;
+        rev = revision;
+        # hash = hash;
+      };
 
-  mkPyPiSource = { url, hash, ... }:
+  mkPyPiSource =
+    { url, hash, ... }:
     builtins.fetchurl {
       inherit url;
       sha256 = hash;
     };
 
-  mkChannelSource = { url, hash, ... }:
+  mkChannelSource =
+    { url, hash, ... }:
     builtins.fetchTarball {
       inherit url;
       sha256 = hash;

machines/web01/wordpress/default.nix

@@ -1,7 +1,9 @@
 { pkgs, sources, ... }:
 
-let wp4nix = pkgs.callPackage sources.wp4nix { };
-in {
+let
+  wp4nix = pkgs.callPackage sources.wp4nix { };
+in
+{
   imports = [ ./module.nix ];
 
   services.wp-containers = {
@@ -9,26 +11,38 @@ in {
 
     sites = {
       "lavoixduntexte.normalesup.eu" = {
-        themes = { inherit (wp4nix.themes) avant; };
+        themes = {
+          inherit (wp4nix.themes) avant;
+        };
 
-        plugins = { inherit (wp4nix.plugins) wordpress-importer; };
+        plugins = {
+          inherit (wp4nix.plugins) wordpress-importer;
+        };
 
         languages = [ pkgs.wordpressPackages.languages.fr_FR ];
       };
 
       "bds.wp.dgnum.eu" = {
-        plugins = { inherit (wp4nix.plugins) user-role-editor; };
+        plugins = {
+          inherit (wp4nix.plugins) user-role-editor;
+        };
         languages = [ pkgs.wordpressPackages.languages.fr_FR ];
-        themes = { inherit (wp4nix.themes) gateway twentytwentythree; };
+        themes = {
+          inherit (wp4nix.themes) gateway twentytwentythree;
+        };
       };
 
       "bda.wp.dgnum.eu" = {
-        plugins = { inherit (wp4nix.plugins) user-role-editor; };
+        plugins = {
+          inherit (wp4nix.plugins) user-role-editor;
+        };
         languages = [ pkgs.wordpressPackages.languages.fr_FR ];
       };
 
       "cineclub.wp.dgnum.eu" = {
-        plugins = { inherit (wp4nix.plugins) user-role-editor; };
+        plugins = {
+          inherit (wp4nix.plugins) user-role-editor;
+        };
         languages = [ pkgs.wordpressPackages.languages.fr_FR ];
       };
     };

machines/web01/wordpress/module.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   inherit (lib) mkEnableOption mkIf mkOption;
@@ -13,41 +18,52 @@ let
   mkHost = mkIp "10.31.41";
   mkLocal = mkIp "10.0.0";
 
-  mkConfig = { name, value, i }: {
-    services.wordpress = {
-      webserver = "nginx";
-      sites.${name} = value;
+  mkConfig =
+    {
+      name,
+      value,
+      i,
+    }:
+    {
+      services.wordpress = {
+        webserver = "nginx";
+        sites.${name} = value;
+      };
+
+      services.nginx.virtualHosts.${name} = {
+        onlySSL = true;
+        sslCertificate = "${certs.${name}.directory}/fullchain.pem";
+        sslCertificateKey = "${certs.${name}.directory}/key.pem";
+        sslTrustedCertificate = "${certs.${name}.directory}/chain.pem";
+      };
+
+      networking = {
+        hostName = mkName name;
+        hosts.${mkLocal i} = [ name ];
+
+        firewall.allowedTCPPorts = [ 443 ];
+      };
+
+      environment.systemPackages = [
+        pkgs.wp-cli
+        pkgs.neovim
+      ];
+
+      system.stateVersion = "23.11";
     };
 
-    services.nginx.virtualHosts.${name} = {
-      onlySSL = true;
-      sslCertificate = "${certs.${name}.directory}/fullchain.pem";
-      sslCertificateKey = "${certs.${name}.directory}/key.pem";
-      sslTrustedCertificate = "${certs.${name}.directory}/chain.pem";
-    };
-
-    networking = {
-      hostName = mkName name;
-      hosts.${mkLocal i} = [ name ];
-
-      firewall.allowedTCPPorts = [ 443 ];
-    };
-
-    environment.systemPackages = [ pkgs.wp-cli pkgs.neovim ];
-
-    system.stateVersion = "23.11";
-  };
-
   mkContainer = i: site: {
     name = mkName site.name;
 
     value = {
       privateNetwork = true;
 
-      forwardPorts = [{
-        containerPort = 443;
-        hostPort = cfg.basePort + i;
-      }];
+      forwardPorts = [
+        {
+          containerPort = 443;
+          hostPort = cfg.basePort + i;
+        }
+      ];
 
       bindMounts.certs = {
         hostPath = certs.${site.name}.directory;
@@ -69,13 +85,13 @@ let
       enableACME = true;
       forceSSL = true;
 
-      locations."/".proxyPass =
-        "https://${mkHost i}:${builtins.toString (cfg.basePort + i)}";
+      locations."/".proxyPass = "https://${mkHost i}:${builtins.toString (cfg.basePort + i)}";
     };
   };
 
   siteList = lib.attrsToList cfg.sites;
-in {
+in
+{
   options.services.wp-containers = {
     enable = mkEnableOption "wordpress sites in containers";
 
@@ -93,7 +109,6 @@ in {
   config = mkIf cfg.enable {
     containers = builtins.listToAttrs (lib.imap1 mkContainer siteList);
 
-    services.nginx.virtualHosts =
-      builtins.listToAttrs (lib.imap1 mkVhost siteList);
+    services.nginx.virtualHosts = builtins.listToAttrs (lib.imap1 mkVhost siteList);
   };
 }