feat: initial dendritic implementation

Author: HeitorAugustoLN

.editorconfig

@@ -0,0 +1,12 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[justfile]
+indent_size = 4

.envrc

@@ -0,0 +1,4 @@
+# shellcheck shell=bash
+if has nix_direnv_version; then
+  use flake
+fi

.github/FUNDING.yaml

@@ -0,0 +1 @@
+github: HeitorAugustoLN

.github/dependabot.yaml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - github-actions
+    commit-message:
+      prefix: ci
+      include: scope

.github/workflows/build.yaml

@@ -0,0 +1,94 @@
+name: Build
+run-name: Build for ${{ github.ref_name }} by ${{ github.actor }}
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+jobs:
+  build-hosts:
+    timeout-minutes: 60
+    name: Build ${{ matrix.host }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        include:
+          - host: axolotl
+            runner: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up Nix
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+      - name: Set up Cachix
+        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
+        with:
+          name: heitor
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build host
+        run: nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel --accept-flake-config
+  build-dev-shells:
+    timeout-minutes: 15
+    name: Build devShell for ${{ matrix.package }} on ${{ matrix.system }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        system:
+          - aarch64-linux
+          - x86_64-linux
+        include:
+          - system: x86_64-linux
+            runner: ubuntu-latest
+          - system: aarch64-linux
+            runner: ubuntu-24.04-arm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up Nix
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+      - name: Set up Cachix
+        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
+        with:
+          name: heitor
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build devShell
+        run: nix build .#devShells.${{ matrix.system }}.default --accept-flake-config
+  build-formatter:
+    timeout-minutes: 14
+    name: Build formatter on ${{ matrix.system }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        system:
+          - aarch64-linux
+          - x86_64-linux
+        include:
+          - system: x86_64-linux
+            runner: ubuntu-latest
+          - system: aarch64-linux
+            runner: ubuntu-24.04-arm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up Nix
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+      - name: Set up Cachix
+        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
+        with:
+          name: heitor
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Build formatter
+        run: nix build .#formatter.${{ matrix.system }} --accept-flake-config

.github/workflows/check.yaml

@@ -0,0 +1,36 @@
+name: Flake check
+run-name: Flake check for ${{ github.ref_name }} by ${{ github.actor }}
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+jobs:
+  check:
+    timeout-minutes: 32
+    name: Check flake on ${{ matrix.system }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        include:
+          - system: x86_64-linux
+            runner: ubuntu-latest
+          - system: aarch64-linux
+            runner: ubuntu-24.04-arm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up Nix
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+      - name: Set up Cachix
+        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
+        with:
+          name: heitor
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Run flake check
+        run: nix flake check --accept-flake-config

.github/workflows/dependabot-auto-merge.yaml

@@ -0,0 +1,22 @@
+name: Dependabot auto-merge
+run-name: Dependabot auto-merge for ${{ github.event.pull_request.title }}
+on: pull_request
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  dependabot:
+    timeout-minutes: 11
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --squash --delete-branch "$PR_URL"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}

.github/workflows/update-flake.yaml

@@ -0,0 +1,68 @@
+name: Update flake inputs
+run-name: Update flake inputs by ${{ github.actor }}
+on:
+  schedule:
+    - cron: "0 0 */3 * *" # Every 3 days at midnight UTC
+  workflow_dispatch:
+jobs:
+  update-flake:
+    timeout-minutes: 11
+    name: Update flake inputs
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up Nix
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+      - name: Generate app token
+        id: app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ vars.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_PRIVATE_KEY }}
+          permission-contents: write
+          permission-pull-requests: write
+      - name: Configure Git
+        run: |
+          git config user.name "heitor-bot[bot]"
+          git config user.email "246902415+heitor-bot[bot]@users.noreply.github.com"
+      - name: Update flake.lock
+        run: |
+          nix flake update --accept-flake-config --commit-lock-file
+      - name: Get commit message for PR body
+        id: pr-body
+        run: |
+          COMMIT_BODY=$(git log -1 --pretty=%b)
+          {
+            echo "pr-body<<EOF"
+            echo "### Automated flake update"
+            echo ""
+            echo "\`\`\`"
+            echo "$COMMIT_BODY"
+            echo "\`\`\`"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+      - name: Create Pull Request
+        id: pull-request
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          body: ${{ steps.pr-body.outputs.pr-body }}
+          branch: update-flake-lock
+          delete-branch: true
+          labels: |
+            dependencies
+            nix
+          sign-commits: true
+          title: "chore(deps): update flake"
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Enable auto-merge
+        if: steps.pull-request.outputs.pull-request-number
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          PR_URL: ${{ steps.pull-request.outputs.pull-request-url }}
+        run: gh pr merge --auto --squash --delete-branch "$PR_URL"

.gitignore

@@ -0,0 +1,2 @@
+.direnv/
+result*

.sops.yaml

@@ -0,0 +1,17 @@
+keys:
+  # TODO: replace with actual public keys
+  - &heitor ssh-ed25519 AAAA...
+  - &axolotl ssh-ed25519 AAAA...
+creation_rules:
+  - path_regex: ^secrets/hosts/common\.yaml$
+    key_groups:
+      - age:
+          - *axolotl
+  - path_regex: ^secrets/hosts/axolotl\.yaml$
+    key_groups:
+      - age:
+          - *axolotl
+  - path_regex: ^secrets/users/heitor\.yaml$
+    key_groups:
+      - age:
+          - *heitor