treewide: Format with shellcheck, jsonlint and yamllint

.gitignore

@@ -1,6 +1,7 @@
 *.tgz
 _*/
 .direnv/
+.env
 .pre-commit-config.yaml
 _*.yaml
 backup/

attic/nix/atlantis.nix

@@ -6,39 +6,46 @@ let
   values = lib.apps.appValues {
     inherit env;
     base = ../values/atlantis;
-    extraValues = {};
+    extraValues = { };
   };
 
-  kustomize = r:
+  kustomize =
+    r:
     if r.kind == "Deployment" then
       lib.attrsets.recursiveUpdate r {
-        spec.template.spec.containers =
+        spec.template.spec.containers = builtins.map (
-        builtins.map (x:
+          x:
-        x // {
+          x
+          // {
             livenessProbe.httpGet.path = "/healthz";
             readinessProble.httpGet.path = "/healthz";
-            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
+            env = x.env ++ [
-        }) r.spec.template.spec.containers;
+              {
+                name = "INERNAL_PORT";
+                value = 8000;
+              }
+            ];
+          }
+        ) r.spec.template.spec.containers;
       }
-      else if r.kind == "Service" then
+    else if r.kind == "Service" then
-      {}
+      { }
-    else r;
+    else
+      r;
 in
 {
   options.apps.atlantis = lib.apps.appOptions {
-      revision = lib.mkOption {
+    revision = lib.mkOption {
-        type = lib.types.str;
+      type = lib.types.str;
-        default = "main";
+      default = "main";
-        description = "Revision";
+      description = "Revision";
-      };
+    };
 
-      hostname = lib.mkOption {
+    hostname = lib.mkOption {
-        type = lib.types.str;
+      type = lib.types.str;
-        default = if env == "prod"
+      default = if env == "prod" then "maps.oceanbox.io" else "atlantis.beta.oceanbox.io";
-          then "maps.oceanbox.io"
+      description = "Revision";
-          else "atlantis.beta.oceanbox.io";
+    };
-        description = "Revision";
-      };
   };
 
   config = lib.apps.appConfig cfg "${env}-atlantis" {

attic/nix/openfga.nix

@@ -6,34 +6,32 @@ let
   values = lib.apps.appValues {
     inherit env;
     base = ../values/openfga;
-    extraValues = {};
+    extraValues = { };
   };
 
-  kustomize = r:
+  kustomize =
-    if r.kind == "Job" then
+    r: if r.kind == "Job" then lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; } else r;
-      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
-    else r;
 
 in
-  {
+{
-    options.apps.openfga = lib.apps.appOptions {};
+  options.apps.openfga = lib.apps.appOptions { };
 
-    config = lib.apps.appConfig cfg "${env}-openfga" {
+  config = lib.apps.appConfig cfg "${env}-openfga" {
-        helm.releases."${env}-openfga" = {
+    helm.releases."${env}-openfga" = {
-          inherit values;
+      inherit values;
-          chart = lib.helm.downloadHelmChart {
+      chart = lib.helm.downloadHelmChart {
-            repo = "https://openfga.github.io/helm-charts";
+        repo = "https://openfga.github.io/helm-charts";
-            chart = "openfga";
+        chart = "openfga";
-              version = "0.2.12";
+        version = "0.2.12";
-              chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
+        chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
-          };
-          transformer = rs: builtins.map (x: kustomize x) rs;
-        };
-
-        annotations = {};
-        resources = {
-          services.poop.spec = {
-          };
-        };
       };
-  }
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+
+    annotations = { };
+    resources = {
+      services.poop.spec = {
+      };
+    };
+  };
+}

attic/templates/kyverno.yaml

@@ -46,19 +46,19 @@ spec:
         {{ end }}
         cleanupController:
           resources:
-            limits: 
+            limits:
               memory: {{ .Values.kyverno.resources.cleanupController.memory }}
             requests:
               memory: {{ .Values.kyverno.resources.cleanupController.memory }}
         reportsController:
           resources:
-            limits: 
+            limits:
               memory: {{ .Values.kyverno.resources.reportsController.memory }}
             requests:
               memory: {{ .Values.kyverno.resources.reportsController.memory }}
         backgroundController:
           resources:
-            limits: 
+            limits:
               memory: {{ .Values.kyverno.resources.backgroundController.memory }}
             requests:
               memory: {{ .Values.kyverno.resources.backgroundController.memory }}

attic/templates/linkerd.yaml

@@ -27,17 +27,17 @@ spec:
             scheme: {{ .Values.linkerd.secretScheme }}
             {{- if .Values.linkerd.identityIssuerPEM }}
             tls:
-              crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }} 
+              crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }}
             {{- end }}
         policyValidator:
           externalSecret: true
-          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
         proxyInjector:
           externalSecret: true
-          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
         profileValidator:
           externalSecret: true
-          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
 
   project: sys
   syncPolicy:

attic/templates/metricserver.yaml

@@ -16,7 +16,7 @@ spec:
     helm:
       values: |
         containerPort: 10250
-        resources: 
+        resources:
           requests:
             cpu: 100m
             memory: 200Mi

attic/templates/otel-collector.yaml

@@ -53,7 +53,7 @@ spec:
               endpoint: "tempo.tempo.svc:4317"
               tls:
                 insecure: true
-            ## 
+            ##
             otlphttp/metrics:
               endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
               tls:

attic/templates/policies/generate-external-admin-rolebinding.yaml

@@ -12,8 +12,8 @@ metadata:
     policies.kyverno.io/minversion: 1.7.0
     kyverno.io/kubernetes-version: "1.23"
     policies.kyverno.io/description: >-
-      Customers should not have full admin permissions on their own namespaces.  
+      Customers should not have full admin permissions on their own namespaces.
-      This policy will generate a RoleBinding, binding their group_id to 
+      This policy will generate a RoleBinding, binding their group_id to
       the Cluster-Admin clusterrole. This will still only apply to the namespace as
       the resource is a rolebinding, not clusterrolebinding.
       This policy should not trigger on any namespaces with label component=sys

attic/templates/policies/prometheus-add-folder-to-default-dashboards.yaml

@@ -24,7 +24,7 @@ spec:
             grafana_folder: Prometheus-stack
       targets:
       - apiVersion: v1
-        kind: ConfigMap        
+        kind: ConfigMap
         name: "{{`{{ request.object.metadata.name }}`}}"
     name: generate-dashboard-folder-annotation
     skipBackgroundRequests: true

attic/templates/policies/sync-regcred.yaml

@@ -13,7 +13,7 @@ metadata:
       is time consuming and error prone. This policy will copy a
       Secret called `regcred` which exists in the `default` Namespace to
       new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.            
+      the copied Secrets should the source Secret be changed.
 spec:
   rules:
   - name: sync-image-pull-secret

attic/templates/policies/whitelist-internal-ingresses.yaml

@@ -9,12 +9,12 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Ingress
     policies.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted. 
+      Ingresses with the label "internal=true" should be whitelisted.
-      If no whitelist exists, add the default values, otherwise append 
+      If no whitelist exists, add the default values, otherwise append
       whitelist to the already existing ones
 spec:
   mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or 
+  #precondition: has whitelist annotation or
   rules:
   - name: ensure-nginx-whitelist-exists
     match:

attic/templates/resources/dashboards/rabbitmq.yaml

@@ -32,7 +32,7 @@ data:
           }
       ],
       "__elements":{
-          
+
       },
       "__requires":[
           {
@@ -70,7 +70,7 @@ data:
                   "limit":100,
                   "matchAny":false,
                   "tags":[
-                      
+
                   ],
                   "type":"dashboard"
                 },
@@ -83,7 +83,7 @@ data:
       "graphTooltip":0,
       "id":null,
       "links":[
-          
+
       ],
       "liveNow":false,
       "panels":[
@@ -130,7 +130,7 @@ data:
                       }
                   },
                   "mappings":[
-                      
+
                   ],
                   "thresholds":{
                       "mode":"absolute",
@@ -195,7 +195,7 @@ data:
             "options":{
                 "legend":{
                   "calcs":[
-                      
+
                   ],
                   "displayMode":"list",
                   "placement":"bottom",
@@ -255,7 +255,7 @@ data:
                 "multi":false,
                 "name":"DS_PROMETHEUS",
                 "options":[
-                  
+
                 ],
                 "query":"prometheus",
                 "refresh":1,
@@ -266,7 +266,7 @@ data:
             },
             {
                 "current":{
-                  
+
                 },
                 "datasource":{
                   "type":"prometheus",
@@ -279,7 +279,7 @@ data:
                 "multi":false,
                 "name":"namespace",
                 "options":[
-                  
+
                 ],
                 "query":{
                   "query":"label_values(rabbitmq_identity_info, namespace)",
@@ -296,7 +296,7 @@ data:
             },
             {
                 "current":{
-                  
+
                 },
                 "datasource":{
                   "type":"prometheus",
@@ -309,7 +309,7 @@ data:
                 "multi":false,
                 "name":"rabbitmq_cluster",
                 "options":[
-                  
+
                 ],
                 "query":{
                   "query":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
@@ -326,7 +326,7 @@ data:
             },
             {
                 "current":{
-                  
+
                 },
                 "datasource":{
                   "type":"prometheus",
@@ -339,7 +339,7 @@ data:
                 "multi":false,
                 "name":"queue",
                 "options":[
-                  
+
                 ],
                 "query":{
                   "query":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\", rabbitmq_cluster=\"$rabbitmq_cluster\"})",
@@ -361,7 +361,7 @@ data:
           "to":"now"
       },
       "timepicker":{
-          
+
       },
       "timezone":"",
       "title":"RabbitMQ-Queue",

attic/templates/resources/kube-proxy-rbac.yaml

@@ -37,7 +37,7 @@ rules:
     resources:
       - events
     verbs: ["*"]
-      
+
   - nonResourceURLs: ["*"]
     verbs: ["*"]
   - apiGroups:

attic/templates/resources/pre-cert-manager.yaml

@@ -139,8 +139,8 @@ spec:
         resources: {}
         securityContext:
           allowPrivilegeEscalation: false
-        command: 
+        command:
-        - "/bin/sh" 
+        - "/bin/sh"
         - -c
         - /tmp/renew-certs/renew-certs.sh
         volumeMounts:
@@ -216,7 +216,7 @@ metadata:
   name: default-deny-egress
   namespace: cert-manager
 spec:
-  podSelector: 
+  podSelector:
     matchLabels:
       block-egress: "true"
   policyTypes:

attic/templates/resources/pre-gitlab-runner.yaml

@@ -42,8 +42,8 @@ spec:
         resources: {}
         securityContext:
           allowPrivilegeEscalation: false
-        command: 
+        command:
-        - "/bin/sh" 
+        - "/bin/sh"
         - -c
         - /tmp/renew-certs/renew-certs.sh
         volumeMounts:
@@ -119,7 +119,7 @@ metadata:
   name: default-deny-egress
   namespace: gitlab
 spec:
-  podSelector: 
+  podSelector:
     matchLabels:
       block-egress: "true"
   policyTypes:

attic/values/dex/templates/.vscode/launch.json

@@ -1,7 +1,4 @@
 {
-    // Use IntelliSense to learn about possible attributes.
-    // Hover to view descriptions of existing attributes.
-    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
     "version": "0.2.0",
     "configurations": [
         {

attic/values/dex/templates/README.md

@@ -1,4 +1,4 @@
-# Oceanbox IdP 
+# Oceanbox IdP
 
 ```
 npm install && npm start

attic/values/dex/templates/deploy.sh

@@ -2,16 +2,16 @@
 
 server="root@fs1-0"
 path="/vol/brick0/nfs0/k1/pv-oceanbox-dex"
-dest="$server:$path"
+dest="${server}:${path}"
 
 index=$(basename dist/assets/index-*.js)
 
-ssh $server -- rm $path/static/js/*.js
+ssh "${server}" -- rm "${path}"/static/js/*.js
-scp dist/assets/*.js $dest/static/js/
+scp dist/assets/*.js "${dest}"/static/js/
 
-sed -r "s/@index@/$index/" ./dex/templates/login.html > login.html.$$
+sed -r "s/@index@/${index}/" ./dex/templates/login.html > login.html.$$
-scp ./dex/templates/* $dest/templates/
+scp ./dex/templates/* "${dest}"/templates/
-scp ./dex/static/*.* $dest/static/
+scp ./dex/static/*.* "${dest}"/static/
-scp login.html.$$ $dest/templates/login.html
+scp login.html.$$ "${dest}"/templates/login.html
 rm login.html.$$
 ssh admin@k1-0.itpartner.intern -- kubectl rollout restart -n oceanbox deployment/dex

attic/values/dex/templates/src/App.fs

@@ -66,7 +66,7 @@ let MyApp() =
       if isNullOrUndefined localStorage["user_id"] then
          ""
       else
-         localStorage["user_id"]  
+         localStorage["user_id"]
       // Browser.Dom.document.cookie
       // |> fun s -> s.Split ';'
       // |> Array.filter (fun s -> s.StartsWith "user_id=")
@@ -75,7 +75,7 @@ let MyApp() =
       // |> Option.defaultValue ""
 
     let toggleAmnesia _ = setAmnesia (not amnesia)
-      
+
     html $"""
         <div class="centering">
         <div @keydown={Ev(onEnter)}>

bin/generate.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# shellcheck disable=SC2034  # Unused variables left for readability
 
 helmfile () {
 
@@ -10,30 +11,30 @@ bases:
  - ../envs/environments.yaml.gotmpl
 
 commonLabels:
-  tier: $tier
+  tier: ${tier}
 
 releases:
-- name: $name
+- name: ${name}
-  namespace: {{ .Environment.Name }}-$name
+  namespace: {{ .Environment.Name }}-${name}
-  chart: ../charts/$name
+  chart: ../charts/${name}
-  condition: $name.enabled
+  condition: ${name}.enabled
   values:
-  - ../values/$name/values/values.yaml.gotmpl
+  - ../values/${name}/values/values.yaml.gotmpl
-  - ../values/$name/values/values-{{ .Environment.Name }}.yaml
+  - ../values/${name}/values/values-{{ .Environment.Name }}.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/$name/kustomize/{{ .Environment.Name }}
+  - ../values/${name}/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: {{ .Environment.Name }}-$name
+  namespace: {{ .Environment.Name }}-${name}
   chart: manifests
-  condition: $name.enabled
+  condition: ${name}.enabled
   missingFileHandler: Info
   values:
   - ../values/env.yaml
   - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/$name/env.yaml.gotmpl
+  - ../values/${name}/env.yaml.gotmpl
-  - ../values/$name/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/${name}/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   hooks:
   - events: [ prepare, cleanup ]
     showlogs: true
@@ -42,7 +43,7 @@ releases:
     - '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
     - '{{\`{{ .Release.Chart }}\`}}'
     - '{{\`{{ .Environment.Name }}\`}}'
-    - ../values/$name/manifests
+    - ../values/${name}/manifests
     - manifests
 EOF
 }
@@ -59,10 +60,10 @@ done
 
 name=$1
 tier=$2
-if [ -n "$ns" ]; then
+if [[ -n "${ns}" ]]; then
-    namespace="namespace: {{ .Environment.Name }}-$name"
+    namespace="namespace: {{ .Environment.Name }}-${name}"
 else
-    namespace="namespace: $name"
+    namespace="namespace: ${name}"
 fi
 
-helmfile $1 $2
+helmfile "$1" "$2"

bin/helmify

@@ -4,39 +4,38 @@ set -o pipefail
 
 cmd=$1
 chart=$2
-env=$3
 manifests=${4:-manifests}
 outdir=${5:-_manifests}
 
 build() {
-  mkdir -p $outdir/templates
+  mkdir -p "${outdir}"/templates
-  echo "Creating $outdir/templates"
+  echo "Creating ${outdir}/templates"
 
-  echo "generating $outdir/Chart.yaml" 1>&2
+  echo "generating ${outdir}/Chart.yaml" 1>&2
 
-  cat <<EOF > $outdir/Chart.yaml
+  cat <<EOF > "${outdir}"/Chart.yaml
 apiVersion: v1
 appVersion: "1.0"
 # description: A Helm chart for Kubernetes
-name: $chart
+name: ${chart}
 version: 0.1.0
 EOF
 
-if [ -d $manifests ]; then
+if [[ -d "${manifests}" ]]; then
-    cp -r $manifests/* $outdir/templates
+    cp -r "${manifests}"/* "${outdir}"/templates
-elif [ -f $manifests ]; then
+elif [[ -f "${manifests}" ]]; then
-    cp $manifests $outdir/templates
+    cp "${manifests}" "${outdir}"/templates
 fi
 }
 
 clean() {
-  echo "cleaning $outdir" 1>&2
+  echo "cleaning ${outdir}" 1>&2
-  rm -rf $outdir
+  rm -rf "${outdir}"
 }
 
-case "$cmd" in
+case "${cmd}" in
   "build" ) build ;;
   "clean" ) clean ;;
-  * ) echo "unsupported command: $cmd" 1>&2; exit 1 ;;
+  * ) echo "unsupported command: ${cmd}" 1>&2; exit 1 ;;
 esac
 

bin/kustomizer

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
-[ $# != 1 ] && exit 1
+[[ $# != 1 ]] && exit 1
 
 dir=$1
-base=$dir/../base
+base=${dir}/../base
 
-if [ -f $base/kustomization.yaml -a -f $dir/kustomization.yaml ]; then
+if [[ -f "${base}"/kustomization.yaml ]] && [[ -f "${dir}"/kustomization.yaml ]]; then
-    cat > $base/_manifest.yaml
+    cat > "${base}"/_manifest.yaml
-    kubectl kustomize $dir
+    kubectl kustomize "${dir}"
 else
     cat
 fi

bootstrap/helm-kustomize-cmp/deploy.sh

@@ -3,5 +3,5 @@
 img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp
 tag=${1:-latest}
 
-docker build -t $img:$tag .
+docker build -t "${img}":"${tag}" .
-docker push $img:$tag
+docker push "${img}":"${tag}"

bootstrap/helm-kustomize-cmp/generate.sh

@@ -1,14 +1,15 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
 export HOME=/plugin
 
-env > /tmp/$ARGOCD_APP_NAME.env
+env > /tmp/"${ARGOCD_APP_NAME}".env
 
-echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
+echo "${ARGOCD_APP_PARAMETERS}" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
-cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
+cp parameters.yaml /tmp/"${ARGOCD_APP_NAME}"-parameters.yaml
 
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
-    CHART=$PARAM_CHART
+    CHART=${PARAM_CHART}
 elif [ -d chart ]; then
     CHART=chart
 elif [ -f chart ]; then
@@ -18,19 +19,19 @@ else
 fi
 
 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
-[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
+[ -f values-chart.yaml ] && VALUES="${VALUES} -f values-chart.yaml"
-[ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
+[ -f values.yaml ] && VALUES="${VALUES} -f values.yaml"
-[ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
+[ -f values-"${PARAM_ENV}".yaml ] && VALUES="${VALUES} -f values-${PARAM_ENV}.yaml"
-VALUES="$VALUES -f parameters.yaml"
+VALUES="${VALUES} -f parameters.yaml"
 
-helm dependency update $CHART >/tmp/$ARGOCD_APP_NAME-helm-dependency-build.out
+helm dependency update "${CHART}" >/tmp/"${ARGOCD_APP_NAME}"-helm-dependency-build.out
 
 mkdir -p base
-echo "helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART" > /tmp/$ARGOCD_APP_NAME-helm.sh
+echo "helm template -n ${ARGOCD_APP_NAMESPACE} ${PARAM_FLAGS} ${VALUES} ${ARGOCD_APP_NAME} ${CHART}" > /tmp/"${ARGOCD_APP_NAME}"-helm.sh
-helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART > ./base/_manifest.yaml
+helm template -n "${ARGOCD_APP_NAMESPACE}" "${PARAM_FLAGS}" "${VALUES}" "${ARGOCD_APP_NAME}" "${CHART}" > ./base/_manifest.yaml
 
-cp ./base/_manifest.yaml /tmp/$ARGOCD_APP_NAME-manifest.yaml
+cp ./base/_manifest.yaml /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
 
-[ -d "$PARAM_ENV" ] && kubectl kustomize $PARAM_ENV > /tmp/$ARGOCD_APP_NAME-manifest.yaml
+[ -d "${PARAM_ENV}" ] && kubectl kustomize "${PARAM_ENV}" > /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
 
-cat /tmp/$ARGOCD_APP_NAME-manifest.yaml
+cat /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml

bootstrap/helm-kustomize-cmp/get-values.sh

@@ -18,7 +18,7 @@ EOF
     exit 0
 fi
 
-yq e -o=p $VALUES | jq --slurp --raw-input '
+yq e -o=p "${VALUES}" | jq --slurp --raw-input '
   [{
     name: "helm-parameters",
     title: "Helm Parameters",

bootstrap/helm-kustomize-cmp/init-helm-repos.sh

@@ -1,8 +1,9 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
 export HOME=/plugin
 
-helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+helm repo add --username argocd-helm --password "${OCEANBOX_HELM_ACCESS_TOKEN}" oceanbox \
     https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami

bootstrap/helm-kustomize-cmp/init.sh

@@ -4,9 +4,9 @@ export HOME=/plugin
 
 helm repo update oceanbox
 
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
-    helm show values $PARAM_CHART > values-chart.yaml
+    helm show values "${PARAM_CHART}" > values-chart.yaml
 elif [ -f chart ]; then
     CHART=$(cat chart)
-    helm show values $CHART > values-chart.yaml
+    helm show values "${CHART}" > values-chart.yaml
 fi

bootstrap/helmfile-cmp/deploy.sh

@@ -3,5 +3,5 @@
 img=registry.gitlab.com/oceanbox/manifests/helmfile-cmp
 tag=${1:-latest}
 
-docker build -t $img:$tag .
+docker build -t "${img}":"${tag}" .
-docker push $img:$tag
+docker push "${img}":"${tag}"

bootstrap/helmfile-cmp/generate.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
 # NOTE: Ensure errors are part of exitcode
 # set -o pipefail
@@ -10,7 +11,7 @@ export HELM_CONFIG_HOME=/tmp/helm/config
 export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
 export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
 
-test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT=$ARGOCD_ENV_HELMFILE_ENVIRONMENT
+test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT="${ARGOCD_ENV_HELMFILE_ENVIRONMENT}"
-test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH=$ARGOCD_ENV_HELMFILE_FILE_PATH
+test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH="${ARGOCD_ENV_HELMFILE_FILE_PATH}"
 
-helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template -q --include-crds 
+helmfile -n "${ARGOCD_APP_NAMESPACE}" "${ARGS}" template -q --include-crds

bootstrap/reset-ekman-cluster.sh

@@ -13,7 +13,7 @@ kubectl --context ekman apply -f cluster-admin-token.yaml
 # kubectl --context oceanbox apply -f _cluster-ekman.yaml
 
 token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
-sed "s/@token@/$token/" cluster-ekman.yaml > _cluster-ekman.yaml
+sed "s/@token@/${token}/" cluster-ekman.yaml > _cluster-ekman.yaml
 echo "configure argocd ekman-cluster..."
 cat _cluster-ekman.yaml
 kubectl --context oceanbox apply -f _cluster-ekman.yaml

nix/checks.nix

@@ -0,0 +1,65 @@
+let
+  sources = import ./default.nix;
+  pkgs = import sources.nixpkgs { };
+  pre-commit = import sources.git-hooks;
+
+  globalExcludes = [
+    "nix/default.nix"
+    ".*vendor"
+    ".*chart/.*"
+    ".*schema.json"
+  ];
+
+in
+pre-commit.run {
+  src = pkgs.nix-gitignore.gitignoreSource [ ] ../.;
+  # Do not run at pre-commit time
+  default_stages = [
+    "pre-push"
+  ];
+  # TODO(mrtz): Remove when default
+  package = pkgs.prek;
+  # Linters From https://github.com/cachix/pre-commit-hooks.nix
+  hooks = {
+    nixfmt-rfc-style = {
+      enable = true;
+      excludes = globalExcludes;
+    };
+
+    trim-trailing-whitespace.enable = true;
+
+    shellcheck = {
+      enable = true;
+      excludes = [
+        "vcluster/"
+      ];
+      args = [
+        "-x"
+        "-o"
+        "all"
+      ];
+    };
+
+    yamllint = {
+      enable = false;
+      excludes = [
+        "attic/"
+        "charts/templates/"
+        "charts/charts/"
+      ];
+      settings = {
+        strict = true;
+        configData = ''{ extends: default, rules: { document-start: disable, line-length: {max: 165} } }'';
+      };
+    };
+
+    check-json.enable = true;
+
+    renovate-config-validator = {
+      enable = true;
+      files = "renovate.json$";
+      entry = "renovate-config-validator";
+    };
+
+  };
+}

nix/sources.json

@@ -1,5 +1,18 @@
 {
   "pins": {
+    "git-hooks": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "cachix",
+        "repo": "git-hooks.nix"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "b68b780b69702a090c8bb1b973bab13756cc7a27",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/b68b780b69702a090c8bb1b973bab13756cc7a27.tar.gz",
+      "hash": "1k99smax7zpa5cdw9afa4v4y4155amy21a8z5z8x3cikdz3gyx5p"
+    },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",

raw/tos/oceanbox/database/upload-img.sh

@@ -3,7 +3,7 @@
 # Simple script for uploading a base64 encoded image into our database. For
 # grafana business image panels.
 
-if [ $# -ne 2 ]
+if [[ $# -ne 2 ]]
 then
 	echo "Usage: $0 <image-name> <file>.png"
 	exit 1
@@ -12,9 +12,9 @@ fi
 filename=$1
 file=$2
 
-if [ ! -e $file ]
+if [[ ! -e "${file}" ]]
 then
-	echo "file $file does not exist"
+	echo "file ${file} does not exist"
 	exit 1
 fi
 
@@ -22,9 +22,9 @@ function create_image() {
 	local filename=$1
 	local data=$2
 cat << EOF
-INSERT INTO images VALUES('$filename', '$data');
+INSERT INTO images VALUES('${filename}', '${data}');
 EOF
 }
 
-data=$(cat $file | base64 -w0)
+data=$(base64 -w0 < "${file}")
-create_image $filename $data
+create_image "${filename}" "${data}"

renovate.json

@@ -1,4 +1,3 @@
-// -*- mode: jsonc -*-
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [

shell.nix

@@ -6,35 +6,45 @@ let
     config = { };
     overlays = [ ];
   };
+  checks = import ./nix/checks.nix;
 in
 pkgs.mkShellNoCC {
   name = "clstr";
 
-  packages = with pkgs; [
+  packages =
-    just
+    with pkgs;
-    npins
+    [
+      # dev tools
+      just
+      npins
 
-    # helm
+      # helm
-    helmfile
+      helmfile
-    kubernetes-helm
+      kubernetes-helm
 
-    # kubectl tools
+      # kubectl tools
-    kubectl-cnpg
+      kubectl-cnpg
-    kubectl-neat
+      kubectl-neat
-    kubelogin
+      kubelogin
-    kubelogin-oidc
+      kubelogin-oidc
-    kubectl-rook-ceph
+      kubectl-rook-ceph
 
-    # other tools
+      # other tools
-    step-cli
+      step-cli
-    linkerd
+      linkerd
-    velero
+      velero
-    cmctl
+      cmctl
+      renovate
 
-    # dapr
+      # dapr
-    dapr-cli
+      dapr-cli
-  ];
+    ]
+    ++ checks.enabledPackages;
 
-  ARGOCD_ENV_CLUSTER_NAME = "rossby";
+  ARGOCD_ENV_CLUSTER_NAME = "hel1";
   HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
+
+  shellHook = builtins.concatStringsSep "\n" [
+    checks.shellHook
+  ];
 }

values/atlantis/kustomize/prod/appsettings.json

@@ -73,7 +73,7 @@
     "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
     "sorcerer" : "https://sorcerer.data.oceanbox.io",
     "allowedOrigins": [
-        "https://maps.oceanbox.io",
+        "https://maps.oceanbox.io"
     ],
     "appName": "atlantis",
     "appEnv": "prod",

values/linkerd/values/linkerd.yaml.gotmpl

@@ -4,14 +4,14 @@ identity:
     scheme: {{ .Values.linkerd.secretScheme }}
     {{- if .Values.linkerd.identityIssuerPEM }}
     tls:
-      crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }} 
+      crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }}
     {{- end }}
 policyValidator:
   externalSecret: true
-  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
 proxyInjector:
   externalSecret: true
-  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
 profileValidator:
   externalSecret: true
-  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+  caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}

values/metrics-server/values/metrics-server.yaml.gotmpl

@@ -1,5 +1,5 @@
 containerPort: 10250
-resources: 
+resources:
     requests:
         cpu: 100m
         memory: 200Mi

values/nfs-provisioner/manifests/nfs-provisioner.yaml

@@ -6,7 +6,7 @@ metadata:
   namespace: argocd
 spec:
   destination:
-    namespace: kube-system 
+    namespace: kube-system
     server: 'https://kubernetes.default.svc'
   sources:
   - repoURL: {{ .Values.clusterConfig.manifests }}

values/plume/kustomize/prod/appsettings.json

@@ -6,5 +6,5 @@
     "appVersion": "1.0.0",
     "cacheDir": "/data/archives/cache/prod",
     "otelCollector": "http://10.255.241.12:4317",
-    "sentryUrl": "https://2b68ecf0c4d02e6cc9433c371321ac9d@o4509530141622272.ingest.de.sentry.io/4509910315237456",
+    "sentryUrl": "https://2b68ecf0c4d02e6cc9433c371321ac9d@o4509530141622272.ingest.de.sentry.io/4509910315237456"
 }

values/prometheus/manifests/policies/prometheus-add-folder-to-default-dashboards.yaml

@@ -24,7 +24,7 @@ spec:
             grafana_folder: Prometheus-stack
       targets:
       - apiVersion: v1
-        kind: ConfigMap        
+        kind: ConfigMap
         name: "{{`{{ request.object.metadata.name }}`}}"
     name: generate-dashboard-folder-annotation
     skipBackgroundRequests: true

values/redis/env.yaml.gotmpl

@@ -1,5 +1,5 @@
 redis:
-  enabled: true 
+  enabled: true
   envs:
   - prod
   - staging

values/redis/manifests/redis.yaml

@@ -3,7 +3,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: {{ . }}-redis 
+  name: {{ . }}-redis
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

values/sorcerer/kustomize/prod-rossby/appsettings.json

@@ -60,7 +60,7 @@
         "https://maps.beta.oceanbox.io",
         "https://atlantis.beta.oceanbox.io",
         "https://jonas-atlantis.dev.oceanbox.io",
-        "https://stig-atlantis.dev.oceanbox.io",
+        "https://stig-atlantis.dev.oceanbox.io"
     ],
     "appName": "sorcerer",
     "appEnv": "prod",

values/system/hel1/kyverno/sync-regcred.yaml

@@ -13,7 +13,7 @@ metadata:
       is time consuming and error prone. This policy will copy a
       Secret called `regcred` which exists in the `default` Namespace to
       new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.            
+      the copied Secrets should the source Secret be changed.
 spec:
   rules:
   - name: sync-image-pull-secret

values/system/manifests/kube-proxy-rbac.yaml

@@ -37,7 +37,7 @@ rules:
     resources:
       - events
     verbs: ["*"]
-      
+
   - nonResourceURLs: ["*"]
     verbs: ["*"]
   - apiGroups:

values/system/oceanbox/kyverno/sync-regcred.yaml

@@ -13,7 +13,7 @@ metadata:
       is time consuming and error prone. This policy will copy a
       Secret called `regcred` which exists in the `default` Namespace to
       new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.            
+      the copied Secrets should the source Secret be changed.
 spec:
   rules:
   - name: sync-image-pull-secret

values/umami/queries/query

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-if [ $# -ne 1 ]
+if [[ $# -ne 1 ]]
 then
 	echo "Usage: $0 <file>.sql"
 	exit 1
@@ -8,11 +8,11 @@ fi
 
 file=$1
 
-if [ ! -e $file ]
+if [[ ! -e "${file}" ]]
 then
-	echo "file $file does not exist"
+	echo "file ${file} does not exist"
 	exit 1
 fi
 
-cat $file | kubectl -n analytics exec -i svc/prod-umami-db-rw -c postgres -- psql app
+kubectl -n analytics exec -i svc/prod-umami-db-rw -c postgres -- psql app < "${file}"
 

values/umami/queries/sim_count.sql

@@ -32,7 +32,7 @@ GROUP BY
 
 SELECT
   *
-FROM 
+FROM
   crosstab_integer_5_cols(
     'SELECT * FROM simulations
      WHERE

values/umami/queries/umami-visitors.sql

@@ -1,4 +1,4 @@
-select 
+select
 	s.distinct_id,
 	count(distinct w.visit_id)
 from
@@ -9,7 +9,7 @@ join
 where
 	w.website_id = '16e7d807-4db5-45fd-92a9-27393445a153'
 	and w.event_type = 1
-	and w.created_at between '2025-10-13' and '2025-10-19' 
+	and w.created_at between '2025-10-13' and '2025-10-19'
 	and s.distinct_id is not null
 	and substring(s.distinct_id similar '%#"@%#"' escape '#') not in ('@oceanbox.io')
 group by

values/umami/queries/umami.sql

@@ -9,7 +9,7 @@ join
 where
 	w.website_id = '16e7d807-4db5-45fd-92a9-27393445a153'
 	and w.event_type = 1
-	and w.created_at between '2025-10-06' and '2025-10-10' 
+	and w.created_at between '2025-10-06' and '2025-10-10'
 	and s.distinct_id is not null
 	and s.distinct_id like '%@%'
 group by

values/umami/queries/weekly-sim-submit-count-norm.sql

@@ -21,7 +21,7 @@
 
 SELECT
   *
-FROM 
+FROM
   crosstab(
     'SELECT "group", sim_type, count::text FROM weekly_sim_submit_count_v2 ORDER BY 1, 2',
     'SELECT DISTINCT sim_type FROM weekly_sim_submit_count_v2 ORDER BY 1'