feat(nix): Add comprehensive Nix pre-commit hooks

.pre-commit-hooks.yaml

@@ -3,6 +3,55 @@
   description: This hook copies all files at /etc/nixos to $GIT_DIR/nixos/backup.
   entry: hooks/backup-nixos.sh
   language: script
+- id: nixos-build
+  name: Building Nix Packages
+  description: This runs nix-build on all files passed to it.
+  entry: hooks/nix/nix-build.sh
+  language: script
+  files: packages\.nix$
+- id: nix-flake-check
+  name: Check Nix flakes
+  description: Validates Nix flakes using 'nix flake check'
+  entry: hooks/nix/nix-flake-check.sh
+  language: script
+  files: flake\.nix$
+  pass_filenames: true
+- id: nix-build-check
+  name: Check Nix builds
+  description: Tests that Nix expressions build successfully
+  entry: hooks/nix/nix-build-check.sh
+  language: script
+  files: (default|shell)\.nix$
+  pass_filenames: true
+- id: nix-darwin-check
+  name: Check nix-darwin configuration
+  description: Validates nix-darwin configurations
+  entry: hooks/nix/nix-darwin-check.sh
+  language: script
+  files: darwin.*\.nix$
+  pass_filenames: true
+- id: nix-home-manager-check
+  name: Check home-manager configuration
+  description: Validates home-manager configurations
+  entry: hooks/nix/nix-home-manager-check.sh
+  language: script
+  files: (home|users/.*|home-manager/.*)\.nix$
+  pass_filenames: true
+- id: nix-fmt
+  name: Format Nix files
+  description: Formats Nix files using nixpkgs-fmt or alejandra
+  entry: hooks/nix/nix-fmt.sh
+  language: script
+  files: \.nix$
+  pass_filenames: true
+  args: [--formatter=nixpkgs-fmt]
+- id: nix-lint
+  name: Lint Nix files
+  description: Lints Nix files using statix and optionally deadnix
+  entry: hooks/nix/nix-lint.sh
+  language: script
+  files: \.nix$
+  pass_filenames: true
 - id: op-ggshield-img
   name: 1PW-GGShield
   description: This hook downloads and runs a docker container that calls `op run -- ggshield secret scan pre-commit`.

TODO.md

@@ -25,3 +25,9 @@
     - PR(in-toto/witness): Make config file more intuitive
     - PR(in-toto/witness): Add additional Examples
     - PR(in-toto/witness): Add `.pre-commit-hooks.yaml` & `/hooks/witness.sh`
+
+## Cargo hooks
+
+- sort `mod.rs` files contents
+- check for code doc coverage
+- create issues out of `**/TODO.md` contents via the `gh` cli or `octocrate`

hooks/nix/nix-build-check.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+# Check for required commands
+for cmd in nix nix-build; do
+  if ! command -v "$cmd" &> /dev/null; then
+    echo "$cmd is not installed"
+    exit 1
+  fi
+done
+
+PASS=true
+DRY_RUN="${NIX_BUILD_DRY_RUN:-false}"
+BUILD_ARGS="${NIX_BUILD_ARGS:-}"
+
+# Process each file
+for file in "$@"; do
+  # Skip non-nix files
+  if [[ ! "$file" =~ \.nix$ ]]; then
+    continue
+  fi
+
+  echo "Checking build for $file..."
+
+  # Determine if this is a flake or legacy nix file
+  if [[ "$(basename "$file")" == "flake.nix" ]]; then
+    # For flakes, build from the directory
+    flake_dir="$(dirname "$file")"
+
+    if [[ "$DRY_RUN" == "true" ]]; then
+      echo "Running dry build for flake in $flake_dir..."
+      # shellcheck disable=SC2086
+      if ! nix build "$flake_dir" --dry-run $BUILD_ARGS 2>&1; then
+        echo "ERROR: Flake build check failed for $file"
+        PASS=false
+      else
+        echo "✓ Flake build check passed for $file"
+      fi
+    else
+      echo "Running build for flake in $flake_dir..."
+      # shellcheck disable=SC2086
+      if ! nix build "$flake_dir" --no-link $BUILD_ARGS 2>&1; then
+        echo "ERROR: Flake build failed for $file"
+        PASS=false
+      else
+        echo "✓ Flake build passed for $file"
+      fi
+    fi
+  else
+    # For legacy nix files
+    if [[ "$DRY_RUN" == "true" ]]; then
+      echo "Running dry build for $file..."
+      # shellcheck disable=SC2086
+      if ! nix-build "$file" --dry-run --no-out-link $BUILD_ARGS 2>&1; then
+        echo "ERROR: Build check failed for $file"
+        PASS=false
+      else
+        echo "✓ Build check passed for $file"
+      fi
+    else
+      echo "Running build for $file..."
+      # shellcheck disable=SC2086
+      if ! nix-build "$file" --no-out-link $BUILD_ARGS 2>&1; then
+        echo "ERROR: Build failed for $file"
+        PASS=false
+      else
+        echo "✓ Build passed for $file"
+      fi
+    fi
+  fi
+done
+
+if ! $PASS; then
+  exit 1
+fi

hooks/nix/nix-darwin-check.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+
+# Check if we're on Darwin
+if [[ "$(uname)" != "Darwin" ]]; then
+  echo "Skipping nix-darwin check on non-Darwin platform"
+  exit 0
+fi
+
+# Check for required commands
+for cmd in nix darwin-rebuild; do
+  if ! command -v "$cmd" &> /dev/null; then
+    echo "$cmd is not installed"
+    echo "Please install nix-darwin: https://github.com/LnL7/nix-darwin"
+    exit 1
+  fi
+done
+
+PASS=true
+CHECK_MODE="${DARWIN_CHECK_MODE:-check}" # Options: check, dry-build
+
+# Process each file
+for file in "$@"; do
+  # Skip non-nix files
+  if [[ ! "$file" =~ \.nix$ ]]; then
+    continue
+  fi
+
+  # Skip files that don't look like darwin configurations
+  if ! grep -q "darwin\|nix-darwin" "$file" 2> /dev/null; then
+    continue
+  fi
+
+  echo "Checking darwin configuration: $file..."
+
+  # Determine if this is a flake-based darwin config
+  flake_dir="$(dirname "$file")"
+  if [[ -f "$flake_dir/flake.nix" ]] && grep -q "darwin" "$flake_dir/flake.nix" 2> /dev/null; then
+    # Flake-based darwin configuration
+    echo "Detected flake-based darwin configuration"
+
+    case "$CHECK_MODE" in
+      check)
+        if ! darwin-rebuild check --flake "$flake_dir" 2>&1; then
+          echo "ERROR: Darwin configuration check failed for $file"
+          PASS=false
+        else
+          echo "✓ Darwin configuration check passed for $file"
+        fi
+        ;;
+      dry-build)
+        if ! darwin-rebuild build --dry-run --flake "$flake_dir" 2>&1; then
+          echo "ERROR: Darwin dry-build failed for $file"
+          PASS=false
+        else
+          echo "✓ Darwin dry-build passed for $file"
+        fi
+        ;;
+    esac
+  else
+    # Legacy darwin configuration
+    echo "Detected legacy darwin configuration"
+
+    # Create a temporary configuration that imports the file
+    temp_config="$(mktemp -t darwin-check.XXXXXX.nix)"
+    cat > "$temp_config" << EOF
+{ config, pkgs, ... }:
+{
+  imports = [ $file ];
+}
+EOF
+
+    case "$CHECK_MODE" in
+      check)
+        if ! darwin-rebuild check -I "darwin-config=$temp_config" 2>&1; then
+          echo "ERROR: Darwin configuration check failed for $file"
+          PASS=false
+        else
+          echo "✓ Darwin configuration check passed for $file"
+        fi
+        ;;
+      dry-build)
+        if ! darwin-rebuild build --dry-run -I "darwin-config=$temp_config" 2>&1; then
+          echo "ERROR: Darwin dry-build failed for $file"
+          PASS=false
+        else
+          echo "✓ Darwin dry-build passed for $file"
+        fi
+        ;;
+    esac
+
+    rm -f "$temp_config"
+  fi
+done
+
+if ! $PASS; then
+  exit 1
+fi

hooks/nix/nix-flake-check.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Check for required commands
+if ! command -v nix &> /dev/null; then
+  echo "nix is not installed"
+  exit 1
+fi
+
+# Check if experimental features are enabled
+if ! nix --version &> /dev/null || ! nix flake --help &> /dev/null 2>&1; then
+  echo "Nix flakes experimental feature is not enabled"
+  echo "Add 'experimental-features = nix-command flakes' to your nix.conf"
+  exit 1
+fi
+
+PASS=true
+
+# Process each file
+for file in "$@"; do
+  # Skip if not a flake.nix file
+  if [[ "$(basename "$file")" != "flake.nix" ]]; then
+    continue
+  fi
+
+  # Get the directory containing the flake
+  flake_dir="$(dirname "$file")"
+
+  echo "Checking flake in $flake_dir..."
+
+  # Run flake check
+  if ! nix flake check "$flake_dir" 2>&1; then
+    echo "ERROR: Flake check failed for $file"
+    PASS=false
+  else
+    echo "✓ Flake check passed for $file"
+  fi
+
+  # Optionally show flake structure (useful for debugging)
+  if [[ "${NIX_FLAKE_SHOW:-false}" == "true" ]]; then
+    echo "Flake structure:"
+    nix flake show "$flake_dir" 2>&1 || true
+  fi
+done
+
+if ! $PASS; then
+  exit 1
+fi