fix: force PermitRootLogin override and add flake check workflow

CodeMaster4711 · CodeMaster4711 · commit bf829409d9d7 · 2026-04-10T20:27:06.000+02:00
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -0,0 +1,29 @@
+name: Check
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  nix-check:
+    name: Nix flake check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cachix/install-nix-action@v27
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Check flake evaluation
+        run: |
+          nix flake check --no-build
+          nix eval .#nixosConfigurations.csf-node.config.system.nixos.label
+          nix eval .#nixosConfigurations.csf-node-arm64.config.system.nixos.label
+
+      - name: Run pre-commit hooks
+        run: nix develop --command pre-commit run --all-files
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -3,17 +3,35 @@
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    pre-commit-hooks.url = "github:cachix/git-hooks.nix";
+    pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs }: let
+  outputs = { self, nixpkgs, pre-commit-hooks }: let
     versions = import ./versions.nix;
+    system = "x86_64-linux";
+    pkgs = nixpkgs.legacyPackages.${system};
 
     mkSystem = { system, modules }: nixpkgs.lib.nixosSystem {
       inherit system;
       specialArgs = { inherit versions; };
       modules = modules;
     };
   in {
+    checks.${system}.pre-commit = pre-commit-hooks.lib.${system}.run {
+      src = ./.;
+      hooks = {
+        nixpkgs-fmt.enable = true;
+        statix.enable = true;
+        deadnix.enable = true;
+      };
+    };
+
+    devShells.${system}.default = pkgs.mkShell {
+      inherit (self.checks.${system}.pre-commit) shellHook;
+      packages = [ pkgs.nixpkgs-fmt pkgs.statix pkgs.deadnix ];
+    };
+
     nixosModules = {
       csf-agent        = import ./modules/csf-agent.nix;
       csf-cp           = import ./modules/csf-cp.nix;
diff --git a/modules/csf-setup.nix b/modules/csf-setup.nix
@@ -52,7 +52,7 @@ in
     services.openssh = {
       enable = true;
       settings = {
-        PermitRootLogin = "no";
+        PermitRootLogin = lib.mkForce "no";
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
       };
diff --git a/scripts/hooks/pre-commit b/scripts/hooks/pre-commit
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+if ! command -v nix > /dev/null 2>&1; then
+  exit 0
+fi
+
+echo "nix: checking flake evaluation..."
+nix flake check --no-build 2>&1 || {
+  echo "nix flake check failed — commit aborted"
+  exit 1
+}
+echo "nix: ok"
diff --git a/scripts/install-hooks.sh b/scripts/install-hooks.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+HOOKS_DIR="$(git rev-parse --show-toplevel)/.git/hooks"
+SCRIPTS_DIR="$(git rev-parse --show-toplevel)/scripts/hooks"
+
+for hook in "$SCRIPTS_DIR"/*; do
+  name=$(basename "$hook")
+  cp "$hook" "$HOOKS_DIR/$name"
+  chmod +x "$HOOKS_DIR/$name"
+  echo "installed: .git/hooks/$name"
+done
