treewide: Format with shellcheck, jsonlint and yamllint

2025-12-29 12:41:13 +01:00
parent d7e4fb43cb
commit f81a4b2732
53 changed files with 313 additions and 220 deletions
@@ -1,6 +1,7 @@
 *.tgz
 _*/
 .direnv/
+.env
 .pre-commit-config.yaml
 _*.yaml
 backup/
@@ -6,39 +6,46 @@ let
  values = lib.apps.appValues {
    inherit env;
    base = ../values/atlantis;
-    extraValues = {};
+    extraValues = { };
  };

-  kustomize = r:
+  kustomize =
+    r:
    if r.kind == "Deployment" then
      lib.attrsets.recursiveUpdate r {
-        spec.template.spec.containers =
-        builtins.map (x:
-        x // {
+        spec.template.spec.containers = builtins.map (
+          x:
+          x
+          // {
            livenessProbe.httpGet.path = "/healthz";
            readinessProble.httpGet.path = "/healthz";
-            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
-        }) r.spec.template.spec.containers;
+            env = x.env ++ [
+              {
+                name = "INERNAL_PORT";
+                value = 8000;
+              }
+            ];
+          }
+        ) r.spec.template.spec.containers;
      }
-      else if r.kind == "Service" then
-      {}
-    else r;
+    else if r.kind == "Service" then
+      { }
+    else
+      r;
 in
 {
  options.apps.atlantis = lib.apps.appOptions {
-      revision = lib.mkOption {
-        type = lib.types.str;
-        default = "main";
-        description = "Revision";
-      };
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "main";
+      description = "Revision";
+    };

-      hostname = lib.mkOption {
-        type = lib.types.str;
-        default = if env == "prod"
-          then "maps.oceanbox.io"
-          else "atlantis.beta.oceanbox.io";
-        description = "Revision";
-      };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      default = if env == "prod" then "maps.oceanbox.io" else "atlantis.beta.oceanbox.io";
+      description = "Revision";
+    };
  };

  config = lib.apps.appConfig cfg "${env}-atlantis" {
@@ -6,34 +6,32 @@ let
  values = lib.apps.appValues {
    inherit env;
    base = ../values/openfga;
-    extraValues = {};
+    extraValues = { };
  };

-  kustomize = r:
-    if r.kind == "Job" then
-      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
-    else r;
+  kustomize =
+    r: if r.kind == "Job" then lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; } else r;

 in
-  {
-    options.apps.openfga = lib.apps.appOptions {};
+{
+  options.apps.openfga = lib.apps.appOptions { };

-    config = lib.apps.appConfig cfg "${env}-openfga" {
-        helm.releases."${env}-openfga" = {
-          inherit values;
-          chart = lib.helm.downloadHelmChart {
-            repo = "https://openfga.github.io/helm-charts";
-            chart = "openfga";
-              version = "0.2.12";
-              chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
-          };
-          transformer = rs: builtins.map (x: kustomize x) rs;
-        };
-
-        annotations = {};
-        resources = {
-          services.poop.spec = {
-          };
-        };
+  config = lib.apps.appConfig cfg "${env}-openfga" {
+    helm.releases."${env}-openfga" = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://openfga.github.io/helm-charts";
+        chart = "openfga";
+        version = "0.2.12";
+        chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
      };
-  }
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+
+    annotations = { };
+    resources = {
+      services.poop.spec = {
+      };
+    };
+  };
+}
@@ -46,19 +46,19 @@ spec:
        {{ end }}
        cleanupController:
          resources:
-            limits: 
+            limits:
              memory: {{ .Values.kyverno.resources.cleanupController.memory }}
            requests:
              memory: {{ .Values.kyverno.resources.cleanupController.memory }}
        reportsController:
          resources:
-            limits: 
+            limits:
              memory: {{ .Values.kyverno.resources.reportsController.memory }}
            requests:
              memory: {{ .Values.kyverno.resources.reportsController.memory }}
        backgroundController:
          resources:
-            limits: 
+            limits:
              memory: {{ .Values.kyverno.resources.backgroundController.memory }}
            requests:
              memory: {{ .Values.kyverno.resources.backgroundController.memory }}
@@ -27,17 +27,17 @@ spec:
            scheme: {{ .Values.linkerd.secretScheme }}
            {{- if .Values.linkerd.identityIssuerPEM }}
            tls:
-              crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }} 
+              crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }}
            {{- end }}
        policyValidator:
          externalSecret: true
-          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
        proxyInjector:
          externalSecret: true
-          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
        profileValidator:
          externalSecret: true
-          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}

  project: sys
  syncPolicy:
@@ -16,7 +16,7 @@ spec:
    helm:
      values: |
        containerPort: 10250
-        resources: 
+        resources:
          requests:
            cpu: 100m
            memory: 200Mi
@@ -53,7 +53,7 @@ spec:
              endpoint: "tempo.tempo.svc:4317"
              tls:
                insecure: true
-            ## 
+            ##
            otlphttp/metrics:
              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
              tls:
@@ -12,8 +12,8 @@ metadata:
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: >-
-      Customers should not have full admin permissions on their own namespaces.  
-      This policy will generate a RoleBinding, binding their group_id to 
+      Customers should not have full admin permissions on their own namespaces.
+      This policy will generate a RoleBinding, binding their group_id to
      the Cluster-Admin clusterrole. This will still only apply to the namespace as
      the resource is a rolebinding, not clusterrolebinding.
      This policy should not trigger on any namespaces with label component=sys
@@ -24,7 +24,7 @@ spec:
            grafana_folder: Prometheus-stack
      targets:
      - apiVersion: v1
-        kind: ConfigMap        
+        kind: ConfigMap
        name: "{{`{{ request.object.metadata.name }}`}}"
    name: generate-dashboard-folder-annotation
    skipBackgroundRequests: true
@@ -13,7 +13,7 @@ metadata:
      is time consuming and error prone. This policy will copy a
      Secret called `regcred` which exists in the `default` Namespace to
      new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.            
+      the copied Secrets should the source Secret be changed.
 spec:
  rules:
  - name: sync-image-pull-secret
@@ -9,12 +9,12 @@ metadata:
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted. 
-      If no whitelist exists, add the default values, otherwise append 
+      Ingresses with the label "internal=true" should be whitelisted.
+      If no whitelist exists, add the default values, otherwise append
      whitelist to the already existing ones
 spec:
  mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or 
+  #precondition: has whitelist annotation or
  rules:
  - name: ensure-nginx-whitelist-exists
    match:
@@ -32,7 +32,7 @@ data:
          }
      ],
      "__elements":{
-          
+
      },
      "__requires":[
          {
@@ -70,7 +70,7 @@ data:
                  "limit":100,
                  "matchAny":false,
                  "tags":[
-                      
+
                  ],
                  "type":"dashboard"
                },
@@ -83,7 +83,7 @@ data:
      "graphTooltip":0,
      "id":null,
      "links":[
-          
+
      ],
      "liveNow":false,
      "panels":[
@@ -130,7 +130,7 @@ data:
                      }
                  },
                  "mappings":[
-                      
+
                  ],
                  "thresholds":{
                      "mode":"absolute",
@@ -195,7 +195,7 @@ data:
            "options":{
                "legend":{
                  "calcs":[
-                      
+
                  ],
                  "displayMode":"list",
                  "placement":"bottom",
@@ -255,7 +255,7 @@ data:
                "multi":false,
                "name":"DS_PROMETHEUS",
                "options":[
-                  
+
                ],
                "query":"prometheus",
                "refresh":1,
@@ -266,7 +266,7 @@ data:
            },
            {
                "current":{
-                  
+
                },
                "datasource":{
                  "type":"prometheus",
@@ -279,7 +279,7 @@ data:
                "multi":false,
                "name":"namespace",
                "options":[
-                  
+
                ],
                "query":{
                  "query":"label_values(rabbitmq_identity_info, namespace)",
@@ -296,7 +296,7 @@ data:
            },
            {
                "current":{
-                  
+
                },
                "datasource":{
                  "type":"prometheus",
@@ -309,7 +309,7 @@ data:
                "multi":false,
                "name":"rabbitmq_cluster",
                "options":[
-                  
+
                ],
                "query":{
                  "query":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
@@ -326,7 +326,7 @@ data:
            },
            {
                "current":{
-                  
+
                },
                "datasource":{
                  "type":"prometheus",
@@ -339,7 +339,7 @@ data:
                "multi":false,
                "name":"queue",
                "options":[
-                  
+
                ],
                "query":{
                  "query":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\", rabbitmq_cluster=\"$rabbitmq_cluster\"})",
@@ -361,7 +361,7 @@ data:
          "to":"now"
      },
      "timepicker":{
-          
+
      },
      "timezone":"",
      "title":"RabbitMQ-Queue",
@@ -37,7 +37,7 @@ rules:
    resources:
      - events
    verbs: ["*"]
-      
+
  - nonResourceURLs: ["*"]
    verbs: ["*"]
  - apiGroups:
@@ -139,8 +139,8 @@ spec:
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
-        command: 
-        - "/bin/sh" 
+        command:
+        - "/bin/sh"
        - -c
        - /tmp/renew-certs/renew-certs.sh
        volumeMounts:
@@ -216,7 +216,7 @@ metadata:
  name: default-deny-egress
  namespace: cert-manager
 spec:
-  podSelector: 
+  podSelector:
    matchLabels:
      block-egress: "true"
  policyTypes:
@@ -42,8 +42,8 @@ spec:
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
-        command: 
-        - "/bin/sh" 
+        command:
+        - "/bin/sh"
        - -c
        - /tmp/renew-certs/renew-certs.sh
        volumeMounts:
@@ -119,7 +119,7 @@ metadata:
  name: default-deny-egress
  namespace: gitlab
 spec:
-  podSelector: 
+  podSelector:
    matchLabels:
      block-egress: "true"
  policyTypes:
@@ -1,7 +1,4 @@
 {
-    // Use IntelliSense to learn about possible attributes.
-    // Hover to view descriptions of existing attributes.
-    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
@@ -1,4 +1,4 @@
-# Oceanbox IdP 
+# Oceanbox IdP

 ```
 npm install && npm start
@@ -2,16 +2,16 @@

 server="root@fs1-0"
 path="/vol/brick0/nfs0/k1/pv-oceanbox-dex"
-dest="$server:$path"
+dest="${server}:${path}"

 index=$(basename dist/assets/index-*.js)

-ssh $server -- rm $path/static/js/*.js
-scp dist/assets/*.js $dest/static/js/
+ssh "${server}" -- rm "${path}"/static/js/*.js
+scp dist/assets/*.js "${dest}"/static/js/

-sed -r "s/@index@/$index/" ./dex/templates/login.html > login.html.$$
-scp ./dex/templates/* $dest/templates/
-scp ./dex/static/*.* $dest/static/
-scp login.html.$$ $dest/templates/login.html
+sed -r "s/@index@/${index}/" ./dex/templates/login.html > login.html.$$
+scp ./dex/templates/* "${dest}"/templates/
+scp ./dex/static/*.* "${dest}"/static/
+scp login.html.$$ "${dest}"/templates/login.html
 rm login.html.$$
 ssh admin@k1-0.itpartner.intern -- kubectl rollout restart -n oceanbox deployment/dex
@@ -66,7 +66,7 @@ let MyApp() =
      if isNullOrUndefined localStorage["user_id"] then
         ""
      else
-         localStorage["user_id"]  
+         localStorage["user_id"]
      // Browser.Dom.document.cookie
      // |> fun s -> s.Split ';'
      // |> Array.filter (fun s -> s.StartsWith "user_id=")
@@ -75,7 +75,7 @@ let MyApp() =
      // |> Option.defaultValue ""

    let toggleAmnesia _ = setAmnesia (not amnesia)
-      
+
    html $"""
        <div class="centering">
        <div @keydown={Ev(onEnter)}>
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=SC2034  # Unused variables left for readability

 helmfile () {

@@ -10,30 +11,30 @@ bases:
 - ../envs/environments.yaml.gotmpl

 commonLabels:
-  tier: $tier
+  tier: ${tier}

 releases:
- name: $name
-  namespace: {{ .Environment.Name }}-$name
-  chart: ../charts/$name
-  condition: $name.enabled
+- name: ${name}
+  namespace: {{ .Environment.Name }}-${name}
+  chart: ../charts/${name}
+  condition: ${name}.enabled
  values:
-  - ../values/$name/values/values.yaml.gotmpl
-  - ../values/$name/values/values-{{ .Environment.Name }}.yaml
+  - ../values/${name}/values/values.yaml.gotmpl
+  - ../values/${name}/values/values-{{ .Environment.Name }}.yaml
  postRenderer: ../bin/kustomizer
  postRendererArgs:
-  - ../values/$name/kustomize/{{ .Environment.Name }}
+  - ../values/${name}/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: manifests
-  namespace: {{ .Environment.Name }}-$name
+  namespace: {{ .Environment.Name }}-${name}
  chart: manifests
-  condition: $name.enabled
+  condition: ${name}.enabled
  missingFileHandler: Info
  values:
  - ../values/env.yaml
  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/$name/env.yaml.gotmpl
-  - ../values/$name/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/${name}/env.yaml.gotmpl
+  - ../values/${name}/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
@@ -42,7 +43,7 @@ releases:
    - '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
    - '{{\`{{ .Release.Chart }}\`}}'
    - '{{\`{{ .Environment.Name }}\`}}'
-    - ../values/$name/manifests
+    - ../values/${name}/manifests
    - manifests
 EOF
 }
@@ -59,10 +60,10 @@ done

 name=$1
 tier=$2
-if [ -n "$ns" ]; then
-    namespace="namespace: {{ .Environment.Name }}-$name"
+if [[ -n "${ns}" ]]; then
+    namespace="namespace: {{ .Environment.Name }}-${name}"
 else
-    namespace="namespace: $name"
+    namespace="namespace: ${name}"
 fi

-helmfile $1 $2
+helmfile "$1" "$2"
@@ -4,39 +4,38 @@ set -o pipefail

 cmd=$1
 chart=$2
-env=$3
 manifests=${4:-manifests}
 outdir=${5:-_manifests}

 build() {
-  mkdir -p $outdir/templates
-  echo "Creating $outdir/templates"
+  mkdir -p "${outdir}"/templates
+  echo "Creating ${outdir}/templates"

-  echo "generating $outdir/Chart.yaml" 1>&2
+  echo "generating ${outdir}/Chart.yaml" 1>&2

-  cat <<EOF > $outdir/Chart.yaml
+  cat <<EOF > "${outdir}"/Chart.yaml
 apiVersion: v1
 appVersion: "1.0"
 # description: A Helm chart for Kubernetes
-name: $chart
+name: ${chart}
 version: 0.1.0
 EOF

-if [ -d $manifests ]; then
-    cp -r $manifests/* $outdir/templates
-elif [ -f $manifests ]; then
-    cp $manifests $outdir/templates
+if [[ -d "${manifests}" ]]; then
+    cp -r "${manifests}"/* "${outdir}"/templates
+elif [[ -f "${manifests}" ]]; then
+    cp "${manifests}" "${outdir}"/templates
 fi
 }

 clean() {
-  echo "cleaning $outdir" 1>&2
-  rm -rf $outdir
+  echo "cleaning ${outdir}" 1>&2
+  rm -rf "${outdir}"
 }

-case "$cmd" in
+case "${cmd}" in
  "build" ) build ;;
  "clean" ) clean ;;
-  * ) echo "unsupported command: $cmd" 1>&2; exit 1 ;;
+  * ) echo "unsupported command: ${cmd}" 1>&2; exit 1 ;;
 esac

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash

-[ $# != 1 ] && exit 1
+[[ $# != 1 ]] && exit 1

 dir=$1
-base=$dir/../base
+base=${dir}/../base

-if [ -f $base/kustomization.yaml -a -f $dir/kustomization.yaml ]; then
-    cat > $base/_manifest.yaml
-    kubectl kustomize $dir
+if [[ -f "${base}"/kustomization.yaml ]] && [[ -f "${dir}"/kustomization.yaml ]]; then
+    cat > "${base}"/_manifest.yaml
+    kubectl kustomize "${dir}"
 else
    cat
 fi
@@ -3,5 +3,5 @@
 img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp
 tag=${1:-latest}

-docker build -t $img:$tag .
-docker push $img:$tag
+docker build -t "${img}":"${tag}" .
+docker push "${img}":"${tag}"
@@ -1,14 +1,15 @@
 #!/bin/sh
+# shellcheck disable=SC2154

 export HOME=/plugin

-env > /tmp/$ARGOCD_APP_NAME.env
+env > /tmp/"${ARGOCD_APP_NAME}".env

-echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
-cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
+echo "${ARGOCD_APP_PARAMETERS}" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
+cp parameters.yaml /tmp/"${ARGOCD_APP_NAME}"-parameters.yaml

-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    CHART=$PARAM_CHART
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
+    CHART=${PARAM_CHART}
 elif [ -d chart ]; then
    CHART=chart
 elif [ -f chart ]; then
@@ -18,19 +19,19 @@ else
 fi

 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
-[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
-[ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
-[ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
-VALUES="$VALUES -f parameters.yaml"
+[ -f values-chart.yaml ] && VALUES="${VALUES} -f values-chart.yaml"
+[ -f values.yaml ] && VALUES="${VALUES} -f values.yaml"
+[ -f values-"${PARAM_ENV}".yaml ] && VALUES="${VALUES} -f values-${PARAM_ENV}.yaml"
+VALUES="${VALUES} -f parameters.yaml"

-helm dependency update $CHART >/tmp/$ARGOCD_APP_NAME-helm-dependency-build.out
+helm dependency update "${CHART}" >/tmp/"${ARGOCD_APP_NAME}"-helm-dependency-build.out

 mkdir -p base
-echo "helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART" > /tmp/$ARGOCD_APP_NAME-helm.sh
-helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART > ./base/_manifest.yaml
+echo "helm template -n ${ARGOCD_APP_NAMESPACE} ${PARAM_FLAGS} ${VALUES} ${ARGOCD_APP_NAME} ${CHART}" > /tmp/"${ARGOCD_APP_NAME}"-helm.sh
+helm template -n "${ARGOCD_APP_NAMESPACE}" "${PARAM_FLAGS}" "${VALUES}" "${ARGOCD_APP_NAME}" "${CHART}" > ./base/_manifest.yaml

-cp ./base/_manifest.yaml /tmp/$ARGOCD_APP_NAME-manifest.yaml
+cp ./base/_manifest.yaml /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml

-[ -d "$PARAM_ENV" ] && kubectl kustomize $PARAM_ENV > /tmp/$ARGOCD_APP_NAME-manifest.yaml
+[ -d "${PARAM_ENV}" ] && kubectl kustomize "${PARAM_ENV}" > /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml

-cat /tmp/$ARGOCD_APP_NAME-manifest.yaml
+cat /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
@@ -18,7 +18,7 @@ EOF
    exit 0
 fi

-yq e -o=p $VALUES | jq --slurp --raw-input '
+yq e -o=p "${VALUES}" | jq --slurp --raw-input '
  [{
    name: "helm-parameters",
    title: "Helm Parameters",
@@ -1,8 +1,9 @@
 #!/bin/sh
+# shellcheck disable=SC2154

 export HOME=/plugin

-helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+helm repo add --username argocd-helm --password "${OCEANBOX_HELM_ACCESS_TOKEN}" oceanbox \
    https://gitlab.com/api/v4/projects/54396343/packages/helm/stable

 helm repo add bitnami https://charts.bitnami.com/bitnami
@@ -4,9 +4,9 @@ export HOME=/plugin

 helm repo update oceanbox

-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    helm show values $PARAM_CHART > values-chart.yaml
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
+    helm show values "${PARAM_CHART}" > values-chart.yaml
 elif [ -f chart ]; then
    CHART=$(cat chart)
-    helm show values $CHART > values-chart.yaml
+    helm show values "${CHART}" > values-chart.yaml
 fi
@@ -3,5 +3,5 @@
 img=registry.gitlab.com/oceanbox/manifests/helmfile-cmp
 tag=${1:-latest}

-docker build -t $img:$tag .
-docker push $img:$tag
+docker build -t "${img}":"${tag}" .
+docker push "${img}":"${tag}"
@@ -1,4 +1,5 @@
 #!/bin/sh
+# shellcheck disable=SC2154

 # NOTE: Ensure errors are part of exitcode
 # set -o pipefail
@@ -10,7 +11,7 @@ export HELM_CONFIG_HOME=/tmp/helm/config
 export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
 export HELMFILE_TEMPDIR=/tmp/helmfile/tmp

-test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT=$ARGOCD_ENV_HELMFILE_ENVIRONMENT
-test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH=$ARGOCD_ENV_HELMFILE_FILE_PATH
+test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT="${ARGOCD_ENV_HELMFILE_ENVIRONMENT}"
+test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH="${ARGOCD_ENV_HELMFILE_FILE_PATH}"

-helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template -q --include-crds 
+helmfile -n "${ARGOCD_APP_NAMESPACE}" "${ARGS}" template -q --include-crds
@@ -13,7 +13,7 @@ kubectl --context ekman apply -f cluster-admin-token.yaml
 # kubectl --context oceanbox apply -f _cluster-ekman.yaml

 token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
-sed "s/@token@/$token/" cluster-ekman.yaml > _cluster-ekman.yaml
+sed "s/@token@/${token}/" cluster-ekman.yaml > _cluster-ekman.yaml
 echo "configure argocd ekman-cluster..."
 cat _cluster-ekman.yaml
 kubectl --context oceanbox apply -f _cluster-ekman.yaml
@@ -0,0 +1,65 @@
+let
+  sources = import ./default.nix;
+  pkgs = import sources.nixpkgs { };
+  pre-commit = import sources.git-hooks;
+
+  globalExcludes = [
+    "nix/default.nix"
+    ".*vendor"
+    ".*chart/.*"
+    ".*schema.json"
+  ];
+
+in
+pre-commit.run {
+  src = pkgs.nix-gitignore.gitignoreSource [ ] ../.;
+  # Do not run at pre-commit time
+  default_stages = [
+    "pre-push"
+  ];
+  # TODO(mrtz): Remove when default
+  package = pkgs.prek;
+  # Linters From https://github.com/cachix/pre-commit-hooks.nix
+  hooks = {
+    nixfmt-rfc-style = {
+      enable = true;
+      excludes = globalExcludes;
+    };
+
+    trim-trailing-whitespace.enable = true;
+
+    shellcheck = {
+      enable = true;
+      excludes = [
+        "vcluster/"
+      ];
+      args = [
+        "-x"
+        "-o"
+        "all"
+      ];
+    };
+
+    yamllint = {
+      enable = false;
+      excludes = [
+        "attic/"
+        "charts/templates/"
+        "charts/charts/"
+      ];
+      settings = {
+        strict = true;
+        configData = ''{ extends: default, rules: { document-start: disable, line-length: {max: 165} } }'';
+      };
+    };
+
+    check-json.enable = true;
+
+    renovate-config-validator = {
+      enable = true;
+      files = "renovate.json$";
+      entry = "renovate-config-validator";
+    };
+
+  };
+}
@@ -1,5 +1,18 @@
 {
  "pins": {
+    "git-hooks": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "cachix",
+        "repo": "git-hooks.nix"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "b68b780b69702a090c8bb1b973bab13756cc7a27",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/b68b780b69702a090c8bb1b973bab13756cc7a27.tar.gz",
+      "hash": "1k99smax7zpa5cdw9afa4v4y4155amy21a8z5z8x3cikdz3gyx5p"
+    },
    "nixpkgs": {
      "type": "Channel",
      "name": "nixpkgs-unstable",
@@ -3,7 +3,7 @@
 # Simple script for uploading a base64 encoded image into our database. For
 # grafana business image panels.

-if [ $# -ne 2 ]
+if [[ $# -ne 2 ]]
 then
 	echo "Usage: $0 <image-name> <file>.png"
 	exit 1
@@ -12,9 +12,9 @@ fi
 filename=$1
 file=$2

-if [ ! -e $file ]
+if [[ ! -e "${file}" ]]
 then
-	echo "file $file does not exist"
+	echo "file ${file} does not exist"
 	exit 1
 fi

@@ -22,9 +22,9 @@ function create_image() {
 	local filename=$1
 	local data=$2
 cat << EOF
-INSERT INTO images VALUES('$filename', '$data');
+INSERT INTO images VALUES('${filename}', '${data}');
 EOF
 }

-data=$(cat $file | base64 -w0)
-create_image $filename $data
+data=$(base64 -w0 < "${file}")
+create_image "${filename}" "${data}"
@@ -1,4 +1,3 @@
-// -*- mode: jsonc -*-
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
@@ -6,35 +6,45 @@ let
    config = { };
    overlays = [ ];
  };
+  checks = import ./nix/checks.nix;
 in
 pkgs.mkShellNoCC {
  name = "clstr";

-  packages = with pkgs; [
-    just
-    npins
+  packages =
+    with pkgs;
+    [
+      # dev tools
+      just
+      npins

-    # helm
-    helmfile
-    kubernetes-helm
+      # helm
+      helmfile
+      kubernetes-helm

-    # kubectl tools
-    kubectl-cnpg
-    kubectl-neat
-    kubelogin
-    kubelogin-oidc
-    kubectl-rook-ceph
+      # kubectl tools
+      kubectl-cnpg
+      kubectl-neat
+      kubelogin
+      kubelogin-oidc
+      kubectl-rook-ceph

-    # other tools
-    step-cli
-    linkerd
-    velero
-    cmctl
+      # other tools
+      step-cli
+      linkerd
+      velero
+      cmctl
+      renovate

-    # dapr
-    dapr-cli
-  ];
+      # dapr
+      dapr-cli
+    ]
+    ++ checks.enabledPackages;

-  ARGOCD_ENV_CLUSTER_NAME = "rossby";
+  ARGOCD_ENV_CLUSTER_NAME = "hel1";
  HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
+
+  shellHook = builtins.concatStringsSep "\n" [
+    checks.shellHook
+  ];
 }
@@ -73,7 +73,7 @@
    "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
    "sorcerer" : "https://sorcerer.data.oceanbox.io",
    "allowedOrigins": [
-        "https://maps.oceanbox.io",
+        "https://maps.oceanbox.io"
    ],
    "appName": "atlantis",
    "appEnv": "prod",
@@ -4,14 +4,14 @@ identity:
    scheme: {{ .Values.linkerd.secretScheme }}
    {{- if .Values.linkerd.identityIssuerPEM }}
    tls:
-      crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }} 
+      crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }}
    {{- end }}
 policyValidator:
  externalSecret: true
-  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
 proxyInjector:
  externalSecret: true
-  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
 profileValidator:
  externalSecret: true
-  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
@@ -1,5 +1,5 @@
 containerPort: 10250
-resources: 
+resources:
    requests:
        cpu: 100m
        memory: 200Mi
@@ -6,7 +6,7 @@ metadata:
  namespace: argocd
 spec:
  destination:
-    namespace: kube-system 
+    namespace: kube-system
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
@@ -6,5 +6,5 @@
    "appVersion": "1.0.0",
    "cacheDir": "/data/archives/cache/prod",
    "otelCollector": "http://10.255.241.12:4317",
-    "sentryUrl": "https://2b68ecf0c4d02e6cc9433c371321ac9d@o4509530141622272.ingest.de.sentry.io/4509910315237456",
+    "sentryUrl": "https://2b68ecf0c4d02e6cc9433c371321ac9d@o4509530141622272.ingest.de.sentry.io/4509910315237456"
 }
@@ -24,7 +24,7 @@ spec:
            grafana_folder: Prometheus-stack
      targets:
      - apiVersion: v1
-        kind: ConfigMap        
+        kind: ConfigMap
        name: "{{`{{ request.object.metadata.name }}`}}"
    name: generate-dashboard-folder-annotation
    skipBackgroundRequests: true
@@ -1,5 +1,5 @@
 redis:
-  enabled: true 
+  enabled: true
  envs:
  - prod
  - staging
@@ -3,7 +3,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: {{ . }}-redis 
+  name: {{ . }}-redis
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
@@ -60,7 +60,7 @@
        "https://maps.beta.oceanbox.io",
        "https://atlantis.beta.oceanbox.io",
        "https://jonas-atlantis.dev.oceanbox.io",
-        "https://stig-atlantis.dev.oceanbox.io",
+        "https://stig-atlantis.dev.oceanbox.io"
    ],
    "appName": "sorcerer",
    "appEnv": "prod",
@@ -13,7 +13,7 @@ metadata:
      is time consuming and error prone. This policy will copy a
      Secret called `regcred` which exists in the `default` Namespace to
      new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.            
+      the copied Secrets should the source Secret be changed.
 spec:
  rules:
  - name: sync-image-pull-secret
@@ -37,7 +37,7 @@ rules:
    resources:
      - events
    verbs: ["*"]
-      
+
  - nonResourceURLs: ["*"]
    verbs: ["*"]
  - apiGroups:
@@ -13,7 +13,7 @@ metadata:
      is time consuming and error prone. This policy will copy a
      Secret called `regcred` which exists in the `default` Namespace to
      new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.            
+      the copied Secrets should the source Secret be changed.
 spec:
  rules:
  - name: sync-image-pull-secret
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-if [ $# -ne 1 ]
+if [[ $# -ne 1 ]]
 then
 	echo "Usage: $0 <file>.sql"
 	exit 1
@@ -8,11 +8,11 @@ fi

 file=$1

-if [ ! -e $file ]
+if [[ ! -e "${file}" ]]
 then
-	echo "file $file does not exist"
+	echo "file ${file} does not exist"
 	exit 1
 fi

-cat $file | kubectl -n analytics exec -i svc/prod-umami-db-rw -c postgres -- psql app
+kubectl -n analytics exec -i svc/prod-umami-db-rw -c postgres -- psql app < "${file}"

@@ -32,7 +32,7 @@ GROUP BY

 SELECT
  *
-FROM 
+FROM
  crosstab_integer_5_cols(
    'SELECT * FROM simulations
     WHERE
@@ -1,4 +1,4 @@
-select 
+select
 	s.distinct_id,
 	count(distinct w.visit_id)
 from
@@ -9,7 +9,7 @@ join
 where
 	w.website_id = '16e7d807-4db5-45fd-92a9-27393445a153'
 	and w.event_type = 1
-	and w.created_at between '2025-10-13' and '2025-10-19' 
+	and w.created_at between '2025-10-13' and '2025-10-19'
 	and s.distinct_id is not null
 	and substring(s.distinct_id similar '%#"@%#"' escape '#') not in ('@oceanbox.io')
 group by
@@ -9,7 +9,7 @@ join
 where
 	w.website_id = '16e7d807-4db5-45fd-92a9-27393445a153'
 	and w.event_type = 1
-	and w.created_at between '2025-10-06' and '2025-10-10' 
+	and w.created_at between '2025-10-06' and '2025-10-10'
 	and s.distinct_id is not null
 	and s.distinct_id like '%@%'
 group by
@@ -21,7 +21,7 @@

 SELECT
  *
-FROM 
+FROM
  crosstab(
    'SELECT "group", sim_type, count::text FROM weekly_sim_submit_count_v2 ORDER BY 1, 2',
    'SELECT DISTINCT sim_type FROM weekly_sim_submit_count_v2 ORDER BY 1'