updates

Author: svnlto

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = false

.github/workflows/nix-formatting.yml

@@ -0,0 +1,28 @@
+---
+name: Nix Formatting Check
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  check-formatting:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v22
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Install nixpkgs-fmt
+        run: nix-env -iA nixpkgs.nixpkgs-fmt
+
+      - name: Check formatting
+        run: find . -name "*.nix" -type f | xargs nixpkgs-fmt --check

.github/workflows/pre-commit.yml

@@ -0,0 +1,31 @@
+---
+name: Pre-commit Checks
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Install pre-commit
+        run: pip install pre-commit
+
+      - name: Run pre-commit hooks
+        run: pre-commit run --all-files

.github/workflows/vagrant-test.yml

@@ -0,0 +1,67 @@
+---
+name: Vagrant VM Test
+
+on:
+  # Run only manually or on major changes to minimize macOS runner usage
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+    paths:
+      - 'vagrant/**'
+      - 'Vagrantfile'
+      - 'flake.nix'
+      - 'flake.lock'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'vagrant/**'
+      - 'Vagrantfile'
+      - 'flake.nix'
+      - 'flake.lock'
+
+jobs:
+  # First job: Just validate the Vagrantfile syntax on Linux (cheaper)
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Vagrant
+        run: |
+          wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+          sudo apt update && sudo apt install vagrant
+
+      - name: Validate Vagrantfile
+        run: vagrant validate
+
+  # Only run the more expensive macOS test if explicitly requested via workflow_dispatch
+  # example: gh repo run workflow vagrant-test --ref main
+  vagrant-test:
+    needs: validate
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Vagrant and UTM
+        run: |
+          brew install hashicorp/tap/hashicorp-vagrant
+          brew install --cask utm
+
+      - name: Install vagrant-utm plugin
+        run: vagrant plugin install vagrant-utm
+
+      - name: Run VM and test provisioning
+        run: |
+          # Start VM with minimal resources for CI
+          UTM_MEMORY=4096 UTM_CPUS=2 vagrant up --no-provision
+
+          # Run only the RAM disk provisioner to test it specifically
+          vagrant provision --provision-with "shell"
+
+          # Test RAM disk setup
+          vagrant ssh -c "ls -la /ramdisk"
+
+          # Clean up
+          vagrant destroy -f

.pre-commit-config.yaml

@@ -0,0 +1,51 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: detect-private-key
+      - id: check-merge-conflict
+      - id: mixed-line-ending
+        args: ['--fix=lf']
+
+  - repo: https://github.com/nix-community/nixpkgs-fmt
+    rev: v1.3.0
+    hooks:
+      - id: nixpkgs-fmt
+        name: nixpkgs-fmt
+        description: Format nix code with nixpkgs-fmt
+        entry: nixpkgs-fmt
+        language: system
+        files: \.nix$
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.25.1
+    hooks:
+      - id: gitleaks
+        name: gitleaks
+        description: Detect secrets in your files
+        entry: gitleaks protect --verbose --redact --staged
+        language: golang
+        pass_filenames: false
+
+  - repo: local
+    hooks:
+      - id: shellcheck
+        name: shellcheck
+        description: Lint shell scripts with shellcheck
+        entry: shellcheck
+        language: system
+        types: [shell]
+        exclude_types: [zsh]
+
+      - id: vagrant-validate
+        name: Vagrant Validate
+        description: Validate Vagrantfile syntax
+        entry: vagrant validate
+        language: system
+        files: ^Vagrantfile$
+        pass_filenames: false

darwin/homebrew.nix

@@ -4,7 +4,7 @@
   homebrew = {
     enable = true;
     taps = [ "FelixKratz/formulae" "hashicorp/tap" ];
-    brews = [ "mas" "dockutil" ];
+    brews = [ "mas" "dockutil" "pre-commit" ];
     casks = [
       # Security & Password Management
       "1password"

renovate.json

@@ -0,0 +1,105 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    ":enableVulnerabilityAlerts"
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "packageRules": [
+    {
+      "matchManagers": [
+        "nix"
+      ],
+      "addLabels": [
+        "nix"
+      ],
+      "pinDigests": true
+    },
+    {
+      "matchDepTypes": [
+        "github-actions"
+      ],
+      "addLabels": [
+        "github-actions"
+      ],
+      "groupName": "github-actions",
+      "pinDigests": true
+    },
+    {
+      "matchManagers": [
+        "pre-commit"
+      ],
+      "addLabels": [
+        "pre-commit"
+      ],
+      "pinDigests": true
+    },
+    {
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "automerge": true
+    },
+    {
+      "matchDepPatterns": [
+        "^nixpkgs"
+      ],
+      "schedule": [
+        "every 2 weeks"
+      ],
+      "pinDigests": true
+    },
+    {
+      "matchPackagePatterns": [
+        ".*"
+      ],
+      "pinDigests": true
+    }
+  ],
+  "nix": {
+    "enabled": true,
+    "fileMatch": [
+      "^flake\\.nix$",
+      "^overlays\\/.*\\.nix$",
+      "^common\\/.*\\.nix$",
+      "^darwin\\/.*\\.nix$",
+      "^vagrant\\/.*\\.nix$"
+    ]
+  },
+  "pre-commit": {
+    "enabled": true,
+    "fileMatch": [
+      "^\\.pre-commit-config\\.ya?ml$"
+    ]
+  },
+  "github-actions": {
+    "fileMatch": [
+      "^\\.github/workflows/[^/]+\\.ya?ml$"
+    ],
+    "enabled": true
+  },
+  "separateMajorMinor": true,
+  "dependencyDashboard": false,
+  "schedule": [
+    "every weekend"
+  ],
+  "prConcurrentLimit": 5,
+  "prHourlyLimit": 2,
+  "rebaseWhen": "auto",
+  "ignorePaths": [
+    "**/node_modules/**"
+  ],
+  "pinDigests": true,
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": [
+      "before 5am on Monday"
+    ]
+  }
+}