treewide: Format with shellcheck, jsonlint and yamllint

.gitignore

@@ -1,6 +1,7 @@
 *.tgz
 _*/
 .direnv/
+.env
 .pre-commit-config.yaml
 _*.yaml
 backup/

attic/nix/atlantis.nix

@@ -6,23 +6,32 @@ let
   values = lib.apps.appValues {
     inherit env;
     base = ../values/atlantis;
-    extraValues = {};
+    extraValues = { };
   };
 
-  kustomize = r:
+  kustomize =
+    r:
     if r.kind == "Deployment" then
       lib.attrsets.recursiveUpdate r {
-        spec.template.spec.containers =
+        spec.template.spec.containers = builtins.map (
-        builtins.map (x:
+          x:
-        x // {
+          x
+          // {
             livenessProbe.httpGet.path = "/healthz";
             readinessProble.httpGet.path = "/healthz";
-            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
+            env = x.env ++ [
-        }) r.spec.template.spec.containers;
+              {
+                name = "INERNAL_PORT";
+                value = 8000;
+              }
+            ];
+          }
+        ) r.spec.template.spec.containers;
       }
     else if r.kind == "Service" then
-      {}
+      { }
-    else r;
+    else
+      r;
 in
 {
   options.apps.atlantis = lib.apps.appOptions {
@@ -34,9 +43,7 @@ in
 
     hostname = lib.mkOption {
       type = lib.types.str;
-        default = if env == "prod"
+      default = if env == "prod" then "maps.oceanbox.io" else "atlantis.beta.oceanbox.io";
-          then "maps.oceanbox.io"
-          else "atlantis.beta.oceanbox.io";
       description = "Revision";
     };
   };

attic/nix/openfga.nix

@@ -6,17 +6,15 @@ let
   values = lib.apps.appValues {
     inherit env;
     base = ../values/openfga;
-    extraValues = {};
+    extraValues = { };
   };
 
-  kustomize = r:
+  kustomize =
-    if r.kind == "Job" then
+    r: if r.kind == "Job" then lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; } else r;
-      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
-    else r;
 
 in
-  {
+{
-    options.apps.openfga = lib.apps.appOptions {};
+  options.apps.openfga = lib.apps.appOptions { };
 
   config = lib.apps.appConfig cfg "${env}-openfga" {
     helm.releases."${env}-openfga" = {
@@ -30,10 +28,10 @@ in
       transformer = rs: builtins.map (x: kustomize x) rs;
     };
 
-        annotations = {};
+    annotations = { };
     resources = {
       services.poop.spec = {
       };
     };
   };
-  }
+}

attic/values/dex/templates/.vscode/launch.json

@@ -1,7 +1,4 @@
 {
-    // Use IntelliSense to learn about possible attributes.
-    // Hover to view descriptions of existing attributes.
-    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
     "version": "0.2.0",
     "configurations": [
         {

attic/values/dex/templates/deploy.sh

@@ -2,16 +2,16 @@
 
 server="root@fs1-0"
 path="/vol/brick0/nfs0/k1/pv-oceanbox-dex"
-dest="$server:$path"
+dest="${server}:${path}"
 
 index=$(basename dist/assets/index-*.js)
 
-ssh $server -- rm $path/static/js/*.js
+ssh "${server}" -- rm "${path}"/static/js/*.js
-scp dist/assets/*.js $dest/static/js/
+scp dist/assets/*.js "${dest}"/static/js/
 
-sed -r "s/@index@/$index/" ./dex/templates/login.html > login.html.$$
+sed -r "s/@index@/${index}/" ./dex/templates/login.html > login.html.$$
-scp ./dex/templates/* $dest/templates/
+scp ./dex/templates/* "${dest}"/templates/
-scp ./dex/static/*.* $dest/static/
+scp ./dex/static/*.* "${dest}"/static/
-scp login.html.$$ $dest/templates/login.html
+scp login.html.$$ "${dest}"/templates/login.html
 rm login.html.$$
 ssh admin@k1-0.itpartner.intern -- kubectl rollout restart -n oceanbox deployment/dex

bin/generate.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=SC2034  # Unused variables left for readability
 
 helmfile () {
 
@@ -10,30 +11,30 @@ bases:
  - ../envs/environments.yaml.gotmpl
 
 commonLabels:
-  tier: $tier
+  tier: ${tier}
 
 releases:
-- name: $name
+- name: ${name}
-  namespace: {{ .Environment.Name }}-$name
+  namespace: {{ .Environment.Name }}-${name}
-  chart: ../charts/$name
+  chart: ../charts/${name}
-  condition: $name.enabled
+  condition: ${name}.enabled
   values:
-  - ../values/$name/values/values.yaml.gotmpl
+  - ../values/${name}/values/values.yaml.gotmpl
-  - ../values/$name/values/values-{{ .Environment.Name }}.yaml
+  - ../values/${name}/values/values-{{ .Environment.Name }}.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/$name/kustomize/{{ .Environment.Name }}
+  - ../values/${name}/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: {{ .Environment.Name }}-$name
+  namespace: {{ .Environment.Name }}-${name}
   chart: manifests
-  condition: $name.enabled
+  condition: ${name}.enabled
   missingFileHandler: Info
   values:
   - ../values/env.yaml
   - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/$name/env.yaml.gotmpl
+  - ../values/${name}/env.yaml.gotmpl
-  - ../values/$name/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/${name}/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   hooks:
   - events: [ prepare, cleanup ]
     showlogs: true
@@ -42,7 +43,7 @@ releases:
     - '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
     - '{{\`{{ .Release.Chart }}\`}}'
     - '{{\`{{ .Environment.Name }}\`}}'
-    - ../values/$name/manifests
+    - ../values/${name}/manifests
     - manifests
 EOF
 }
@@ -59,10 +60,10 @@ done
 
 name=$1
 tier=$2
-if [ -n "$ns" ]; then
+if [[ -n "${ns}" ]]; then
-    namespace="namespace: {{ .Environment.Name }}-$name"
+    namespace="namespace: {{ .Environment.Name }}-${name}"
 else
-    namespace="namespace: $name"
+    namespace="namespace: ${name}"
 fi
 
-helmfile $1 $2
+helmfile "$1" "$2"

bin/helmify

@@ -4,39 +4,38 @@ set -o pipefail
 
 cmd=$1
 chart=$2
-env=$3
 manifests=${4:-manifests}
 outdir=${5:-_manifests}
 
 build() {
-  mkdir -p $outdir/templates
+  mkdir -p "${outdir}"/templates
-  echo "Creating $outdir/templates"
+  echo "Creating ${outdir}/templates"
 
-  echo "generating $outdir/Chart.yaml" 1>&2
+  echo "generating ${outdir}/Chart.yaml" 1>&2
 
-  cat <<EOF > $outdir/Chart.yaml
+  cat <<EOF > "${outdir}"/Chart.yaml
 apiVersion: v1
 appVersion: "1.0"
 # description: A Helm chart for Kubernetes
-name: $chart
+name: ${chart}
 version: 0.1.0
 EOF
 
-if [ -d $manifests ]; then
+if [[ -d "${manifests}" ]]; then
-    cp -r $manifests/* $outdir/templates
+    cp -r "${manifests}"/* "${outdir}"/templates
-elif [ -f $manifests ]; then
+elif [[ -f "${manifests}" ]]; then
-    cp $manifests $outdir/templates
+    cp "${manifests}" "${outdir}"/templates
 fi
 }
 
 clean() {
-  echo "cleaning $outdir" 1>&2
+  echo "cleaning ${outdir}" 1>&2
-  rm -rf $outdir
+  rm -rf "${outdir}"
 }
 
-case "$cmd" in
+case "${cmd}" in
   "build" ) build ;;
   "clean" ) clean ;;
-  * ) echo "unsupported command: $cmd" 1>&2; exit 1 ;;
+  * ) echo "unsupported command: ${cmd}" 1>&2; exit 1 ;;
 esac
 

bin/kustomizer

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
-[ $# != 1 ] && exit 1
+[[ $# != 1 ]] && exit 1
 
 dir=$1
-base=$dir/../base
+base=${dir}/../base
 
-if [ -f $base/kustomization.yaml -a -f $dir/kustomization.yaml ]; then
+if [[ -f "${base}"/kustomization.yaml ]] && [[ -f "${dir}"/kustomization.yaml ]]; then
-    cat > $base/_manifest.yaml
+    cat > "${base}"/_manifest.yaml
-    kubectl kustomize $dir
+    kubectl kustomize "${dir}"
 else
     cat
 fi

bootstrap/helm-kustomize-cmp/deploy.sh

@@ -3,5 +3,5 @@
 img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp
 tag=${1:-latest}
 
-docker build -t $img:$tag .
+docker build -t "${img}":"${tag}" .
-docker push $img:$tag
+docker push "${img}":"${tag}"

bootstrap/helm-kustomize-cmp/generate.sh

@@ -1,14 +1,15 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
 export HOME=/plugin
 
-env > /tmp/$ARGOCD_APP_NAME.env
+env > /tmp/"${ARGOCD_APP_NAME}".env
 
-echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
+echo "${ARGOCD_APP_PARAMETERS}" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
-cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
+cp parameters.yaml /tmp/"${ARGOCD_APP_NAME}"-parameters.yaml
 
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
-    CHART=$PARAM_CHART
+    CHART=${PARAM_CHART}
 elif [ -d chart ]; then
     CHART=chart
 elif [ -f chart ]; then
@@ -18,19 +19,19 @@ else
 fi
 
 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
-[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
+[ -f values-chart.yaml ] && VALUES="${VALUES} -f values-chart.yaml"
-[ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
+[ -f values.yaml ] && VALUES="${VALUES} -f values.yaml"
-[ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
+[ -f values-"${PARAM_ENV}".yaml ] && VALUES="${VALUES} -f values-${PARAM_ENV}.yaml"
-VALUES="$VALUES -f parameters.yaml"
+VALUES="${VALUES} -f parameters.yaml"
 
-helm dependency update $CHART >/tmp/$ARGOCD_APP_NAME-helm-dependency-build.out
+helm dependency update "${CHART}" >/tmp/"${ARGOCD_APP_NAME}"-helm-dependency-build.out
 
 mkdir -p base
-echo "helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART" > /tmp/$ARGOCD_APP_NAME-helm.sh
+echo "helm template -n ${ARGOCD_APP_NAMESPACE} ${PARAM_FLAGS} ${VALUES} ${ARGOCD_APP_NAME} ${CHART}" > /tmp/"${ARGOCD_APP_NAME}"-helm.sh
-helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART > ./base/_manifest.yaml
+helm template -n "${ARGOCD_APP_NAMESPACE}" "${PARAM_FLAGS}" "${VALUES}" "${ARGOCD_APP_NAME}" "${CHART}" > ./base/_manifest.yaml
 
-cp ./base/_manifest.yaml /tmp/$ARGOCD_APP_NAME-manifest.yaml
+cp ./base/_manifest.yaml /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
 
-[ -d "$PARAM_ENV" ] && kubectl kustomize $PARAM_ENV > /tmp/$ARGOCD_APP_NAME-manifest.yaml
+[ -d "${PARAM_ENV}" ] && kubectl kustomize "${PARAM_ENV}" > /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
 
-cat /tmp/$ARGOCD_APP_NAME-manifest.yaml
+cat /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml

bootstrap/helm-kustomize-cmp/get-values.sh

@@ -18,7 +18,7 @@ EOF
     exit 0
 fi
 
-yq e -o=p $VALUES | jq --slurp --raw-input '
+yq e -o=p "${VALUES}" | jq --slurp --raw-input '
   [{
     name: "helm-parameters",
     title: "Helm Parameters",

bootstrap/helm-kustomize-cmp/init-helm-repos.sh

@@ -1,8 +1,9 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
 export HOME=/plugin
 
-helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+helm repo add --username argocd-helm --password "${OCEANBOX_HELM_ACCESS_TOKEN}" oceanbox \
     https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami

bootstrap/helm-kustomize-cmp/init.sh

@@ -4,9 +4,9 @@ export HOME=/plugin
 
 helm repo update oceanbox
 
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
-    helm show values $PARAM_CHART > values-chart.yaml
+    helm show values "${PARAM_CHART}" > values-chart.yaml
 elif [ -f chart ]; then
     CHART=$(cat chart)
-    helm show values $CHART > values-chart.yaml
+    helm show values "${CHART}" > values-chart.yaml
 fi

bootstrap/helmfile-cmp/deploy.sh

@@ -3,5 +3,5 @@
 img=registry.gitlab.com/oceanbox/manifests/helmfile-cmp
 tag=${1:-latest}
 
-docker build -t $img:$tag .
+docker build -t "${img}":"${tag}" .
-docker push $img:$tag
+docker push "${img}":"${tag}"

bootstrap/helmfile-cmp/generate.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
 # NOTE: Ensure errors are part of exitcode
 # set -o pipefail
@@ -10,7 +11,7 @@ export HELM_CONFIG_HOME=/tmp/helm/config
 export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
 export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
 
-test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT=$ARGOCD_ENV_HELMFILE_ENVIRONMENT
+test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT="${ARGOCD_ENV_HELMFILE_ENVIRONMENT}"
-test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH=$ARGOCD_ENV_HELMFILE_FILE_PATH
+test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH="${ARGOCD_ENV_HELMFILE_FILE_PATH}"
 
-helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template -q --include-crds 
+helmfile -n "${ARGOCD_APP_NAMESPACE}" "${ARGS}" template -q --include-crds

bootstrap/reset-ekman-cluster.sh

@@ -13,7 +13,7 @@ kubectl --context ekman apply -f cluster-admin-token.yaml
 # kubectl --context oceanbox apply -f _cluster-ekman.yaml
 
 token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
-sed "s/@token@/$token/" cluster-ekman.yaml > _cluster-ekman.yaml
+sed "s/@token@/${token}/" cluster-ekman.yaml > _cluster-ekman.yaml
 echo "configure argocd ekman-cluster..."
 cat _cluster-ekman.yaml
 kubectl --context oceanbox apply -f _cluster-ekman.yaml

nix/checks.nix

@@ -0,0 +1,65 @@
+let
+  sources = import ./default.nix;
+  pkgs = import sources.nixpkgs { };
+  pre-commit = import sources.git-hooks;
+
+  globalExcludes = [
+    "nix/default.nix"
+    ".*vendor"
+    ".*chart/.*"
+    ".*schema.json"
+  ];
+
+in
+pre-commit.run {
+  src = pkgs.nix-gitignore.gitignoreSource [ ] ../.;
+  # Do not run at pre-commit time
+  default_stages = [
+    "pre-push"
+  ];
+  # TODO(mrtz): Remove when default
+  package = pkgs.prek;
+  # Linters From https://github.com/cachix/pre-commit-hooks.nix
+  hooks = {
+    nixfmt-rfc-style = {
+      enable = true;
+      excludes = globalExcludes;
+    };
+
+    trim-trailing-whitespace.enable = true;
+
+    shellcheck = {
+      enable = true;
+      excludes = [
+        "vcluster/"
+      ];
+      args = [
+        "-x"
+        "-o"
+        "all"
+      ];
+    };
+
+    yamllint = {
+      enable = false;
+      excludes = [
+        "attic/"
+        "charts/templates/"
+        "charts/charts/"
+      ];
+      settings = {
+        strict = true;
+        configData = ''{ extends: default, rules: { document-start: disable, line-length: {max: 165} } }'';
+      };
+    };
+
+    check-json.enable = true;
+
+    renovate-config-validator = {
+      enable = true;
+      files = "renovate.json$";
+      entry = "renovate-config-validator";
+    };
+
+  };
+}

nix/sources.json

@@ -1,5 +1,18 @@
 {
   "pins": {
+    "git-hooks": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "cachix",
+        "repo": "git-hooks.nix"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "b68b780b69702a090c8bb1b973bab13756cc7a27",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/b68b780b69702a090c8bb1b973bab13756cc7a27.tar.gz",
+      "hash": "1k99smax7zpa5cdw9afa4v4y4155amy21a8z5z8x3cikdz3gyx5p"
+    },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",

raw/tos/oceanbox/database/upload-img.sh

@@ -3,7 +3,7 @@
 # Simple script for uploading a base64 encoded image into our database. For
 # grafana business image panels.
 
-if [ $# -ne 2 ]
+if [[ $# -ne 2 ]]
 then
 	echo "Usage: $0 <image-name> <file>.png"
 	exit 1
@@ -12,9 +12,9 @@ fi
 filename=$1
 file=$2
 
-if [ ! -e $file ]
+if [[ ! -e "${file}" ]]
 then
-	echo "file $file does not exist"
+	echo "file ${file} does not exist"
 	exit 1
 fi
 
@@ -22,9 +22,9 @@ function create_image() {
 	local filename=$1
 	local data=$2
 cat << EOF
-INSERT INTO images VALUES('$filename', '$data');
+INSERT INTO images VALUES('${filename}', '${data}');
 EOF
 }
 
-data=$(cat $file | base64 -w0)
+data=$(base64 -w0 < "${file}")
-create_image $filename $data
+create_image "${filename}" "${data}"

renovate.json

@@ -1,4 +1,3 @@
-// -*- mode: jsonc -*-
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [

shell.nix

@@ -6,11 +6,15 @@ let
     config = { };
     overlays = [ ];
   };
+  checks = import ./nix/checks.nix;
 in
 pkgs.mkShellNoCC {
   name = "clstr";
 
-  packages = with pkgs; [
+  packages =
+    with pkgs;
+    [
+      # dev tools
       just
       npins
 
@@ -30,11 +34,17 @@ pkgs.mkShellNoCC {
       linkerd
       velero
       cmctl
+      renovate
 
       # dapr
       dapr-cli
-  ];
+    ]
+    ++ checks.enabledPackages;
 
-  ARGOCD_ENV_CLUSTER_NAME = "rossby";
+  ARGOCD_ENV_CLUSTER_NAME = "hel1";
   HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
+
+  shellHook = builtins.concatStringsSep "\n" [
+    checks.shellHook
+  ];
 }

values/atlantis/kustomize/prod/appsettings.json

@@ -73,7 +73,7 @@
     "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
     "sorcerer" : "https://sorcerer.data.oceanbox.io",
     "allowedOrigins": [
-        "https://maps.oceanbox.io",
+        "https://maps.oceanbox.io"
     ],
     "appName": "atlantis",
     "appEnv": "prod",

values/plume/kustomize/prod/appsettings.json

@@ -6,5 +6,5 @@
     "appVersion": "1.0.0",
     "cacheDir": "/data/archives/cache/prod",
     "otelCollector": "http://10.255.241.12:4317",
-    "sentryUrl": "https://2b68ecf0c4d02e6cc9433c371321ac9d@o4509530141622272.ingest.de.sentry.io/4509910315237456",
+    "sentryUrl": "https://2b68ecf0c4d02e6cc9433c371321ac9d@o4509530141622272.ingest.de.sentry.io/4509910315237456"
 }

values/sorcerer/kustomize/prod-rossby/appsettings.json

@@ -60,7 +60,7 @@
         "https://maps.beta.oceanbox.io",
         "https://atlantis.beta.oceanbox.io",
         "https://jonas-atlantis.dev.oceanbox.io",
-        "https://stig-atlantis.dev.oceanbox.io",
+        "https://stig-atlantis.dev.oceanbox.io"
     ],
     "appName": "sorcerer",
     "appEnv": "prod",

values/umami/queries/query

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-if [ $# -ne 1 ]
+if [[ $# -ne 1 ]]
 then
 	echo "Usage: $0 <file>.sql"
 	exit 1
@@ -8,11 +8,11 @@ fi
 
 file=$1
 
-if [ ! -e $file ]
+if [[ ! -e "${file}" ]]
 then
-	echo "file $file does not exist"
+	echo "file ${file} does not exist"
 	exit 1
 fi
 
-cat $file | kubectl -n analytics exec -i svc/prod-umami-db-rw -c postgres -- psql app
+kubectl -n analytics exec -i svc/prod-umami-db-rw -c postgres -- psql app < "${file}"