chore: setup devfiles

2025-02-05 11:59:43 -03:00 · 2025-02-05 11:59:43 -03:00 · 981e35124a
commit 981e35124a
parent 7c6cd6967a
11 changed files with 109 additions and 17 deletions
--- a/.devfiles/bin/.gitkeep
+++ b/.devfiles/bin/.gitkeep
--- a/.devfiles/hooks/.gitkeep
+++ b/.devfiles/hooks/.gitkeep
--- a/.devfiles/hooks/commit-msg.sh
+++ b/.devfiles/hooks/commit-msg.sh
@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+cog verify --file "$1"
--- a/.devfiles/hooks/pre-commit.sh
+++ b/.devfiles/hooks/pre-commit.sh
@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+cd "$root"
+
+gitleaks git
+
+# Only validate encrypted files if we are tracking any
+if [[ -e .ageboxreg.yml ]]; then
+  agebox validate --no-decrypt
+fi
--- a/.devfiles/justfile
+++ b/.devfiles/justfile
@ -0,0 +1,43 @@
+set dotenv-load := true
+
+export PATH := source_dir() + "/bin:" + source_dir() + "/scripts:" + env("PATH")
+export AGEBOX_DEBUG := "0"
+export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt"
+
+# Install agebox from the latest github realse
+install-agebox:
+  curl -sSL "https://github.com/slok/agebox/releases/latest/download/agebox-linux-amd64" -o .devfiles/bin/agebox
+  chmod + x .devfiles/bin/agebox
+
+[no-cd]
+install-hooks:
+  cog install-hook --all
+
+# Easy and simple file repository encryption tool based on Age.
+agebox +ARGS="--help":
+  @.devfiles/bin/agebox  {{ ARGS }}
+
+# Encrypt the provided files, relative to project root.
+encrypt +FILES: (agebox "encrypt " + FILES)
+
+# Encrypt all the tracked files.
+encrypt-all: (agebox "encrypt --all")
+
+# Decrypt the provided files, relative to project root.
+decrypt +FILES: (agebox "decrypt " + FILES)
+
+# Decrypt all the tracked files.
+decrypt-all: (agebox "decrypt --all --force")
+
+# Reencrypt all the tracked files with the new public keys.
+reencrypt: (agebox "reencrypt")
+
+# Show the content of an encrypted file to stdout.
+crypt-peek +FILES: (agebox "cat " + FILES)
+
+# Validate that all tracked files are encrypted.
+crypt-check:(agebox "validate --no-decrypt ")
+
+# Validate no credentials are pushed to git
+leaks:
+  @gitleaks git --verbose --redact
--- a/.devfiles/public_keys.txt
+++ b/.devfiles/public_keys.txt
@ -0,0 +1,2 @@
+# anavarro
+age1gj7hj894l0a0lvu3fsndlkdkyc0da7963kcqhpfe43reflx3gafqnm058u
--- a/.devfiles/scripts/.gitkeep
+++ b/.devfiles/scripts/.gitkeep
--- a/.devfiles/scripts/dependecy-check.sh
+++ b/.devfiles/scripts/dependecy-check.sh
@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+export PATH=$root/.devfiles/bin:$root/.devfiles/scripts:$PATH
+
+devtools=(
+  age
+  agebox
+  cog
+  gitleaks
+)
+
+missing_tools=()
+
+for cmd in "${devtools[@]}"; do
+  if ! command -v "$cmd" &>/dev/null; then
+    missing_tools+=("$cmd")
+  fi
+done
+
+if [[ ${#missing_tools[@]} != 0 ]]; then
+  echo "The following tools where not found:"
+  printf "%s\n" "${missing_tools[@]}"
+  exit 1
+else
+  echo -e "All tools are installed!"
+fi