add mise-driven ci tasks and hm/darwin module scaffolding

Author: syscod3

.github/workflows/ci.yml

@@ -0,0 +1,45 @@
+name: NixOS Configuration CI
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v25
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Install toolchain
+        run: mise install
+
+      - name: Validation
+        run: mise run ci-validate
+
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+
+      - name: Install toolchain
+        run: mise install
+
+      - name: Security checks
+        run: mise run ci-security

mise.toml

@@ -0,0 +1,55 @@
+[tools]
+python = "3.13"
+
+[tasks.fmt]
+description = "Format Nix files"
+run = '''
+set -euo pipefail
+nix fmt
+'''
+
+[tasks.fmt-check]
+description = "Check Nix formatting"
+run = '''
+set -euo pipefail
+nix fmt -- --check .
+'''
+
+[tasks.flake-check]
+description = "Run flake checks without building heavy outputs"
+run = '''
+set -euo pipefail
+nix flake check --no-build
+'''
+
+[tasks.build-dryrun]
+description = "Dry-run build for canonical host configs"
+run = '''
+set -euo pipefail
+nix build .#nixosConfigurations.bit.config.system.build.toplevel --dry-run
+'''
+
+[tasks.ci-validate]
+description = "CI validation pipeline"
+depends = ["fmt-check", "flake-check", "build-dryrun"]
+run = "echo 'validation complete'"
+
+[tasks.ci-security]
+description = "CI security checks"
+run = '''
+set -euo pipefail
+python3 -m pip install --quiet detect-secrets
+
+detect-secrets scan --baseline .secrets.baseline
+detect-secrets audit .secrets.baseline
+
+if grep -rE "(password|secret|token|api_key|private_key)\\s*=\\s*['\\\"]\\S+" . --include="*.nix" | grep -v ".github"; then
+  echo "Error: Found potential hardcoded secrets. Use sops-nix for secrets!"
+  exit 1
+fi
+
+if find . -type f -exec grep -l "BEGIN.*PRIVATE KEY" {} \\; | grep -v ".secrets.baseline"; then
+  echo "Error: Found private keys in repository!"
+  exit 1
+fi
+'''

modules/darwin/services.nix

@@ -0,0 +1,35 @@
+{ lib, pkgs, ... }:
+
+{
+  # Native nix-darwin service modules (prefer these over custom launchd jobs).
+  services.postgresql.enable = lib.mkDefault true;
+  services.redis.enable = lib.mkDefault true;
+  services.eternal-terminal.enable = lib.mkDefault false;
+
+  # Services without first-class nix-darwin modules can still be managed via
+  # launchd with nixpkgs binaries when needed.
+  launchd.daemons.openvpn = {
+    serviceConfig = {
+      KeepAlive = true;
+      RunAtLoad = false;
+      ProgramArguments = [
+        "${pkgs.openvpn}/sbin/openvpn"
+        "--config"
+        "/etc/openvpn/openvpn.conf"
+      ];
+    };
+  };
+
+  launchd.daemons.unbound = {
+    serviceConfig = {
+      KeepAlive = true;
+      RunAtLoad = false;
+      ProgramArguments = [
+        "${pkgs.unbound}/sbin/unbound"
+        "-d"
+        "-c"
+        "/etc/unbound/unbound.conf"
+      ];
+    };
+  };
+}

modules/users/giovanni.nix

@@ -0,0 +1,45 @@
+{ ... }:
+
+{
+  imports = [
+    ./ssh-config.nix
+    ./neovim
+    ./packages
+    ./runtimes-mise.nix
+  ];
+
+  # Home Manager configuration for user giovanni
+  # This can be overridden per-host if needed
+
+  home.username = "giovanni";
+  home.homeDirectory = "/home/giovanni";
+
+  # Git configuration
+  programs.git = {
+    enable = true;
+    userName = "Giovanni";
+    userEmail = "your.email@example.com"; # Change this
+    extraConfig = {
+      init.defaultBranch = "main";
+      pull.rebase = true;
+    };
+  };
+
+  # Shell configuration
+  programs.bash = {
+    enable = true;
+    shellAliases = {
+      ll = "eza -la";
+      cat = "bat";
+    };
+  };
+
+  # Fish shell (if preferred)
+  # programs.fish.enable = true;
+
+  # This value determines the Home Manager release compatibility
+  home.stateVersion = "24.11";
+
+  # Let Home Manager manage itself
+  programs.home-manager.enable = true;
+}

modules/users/packages/core.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+  # Core user-facing CLI utilities.
+  home.packages = with pkgs; [
+    age
+    bat
+    bitwarden-cli
+    chezmoi
+    delta
+    eza
+    fd
+    fzf
+    ripgrep
+  ];
+}

modules/users/packages/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./core.nix
+    ./devops.nix
+  ];
+}

modules/users/packages/devops.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+{
+  # Non-runtime devops/security utilities. Runtime/versioned tools are
+  # intentionally owned by mise in runtimes-mise.nix.
+  home.packages = with pkgs; [
+    aws-vault
+    checkov
+    oci-cli
+    trivy
+  ];
+}

modules/users/runtimes-mise.nix

@@ -0,0 +1,44 @@
+{ lib, pkgs, ... }:
+
+let
+  # These tools overlap with brew installs and should be version-owned by mise.
+  runtimeTools = {
+    awscli = "2.24.22";
+    direnv = "2.21.3";
+    gh = "2.45.0";
+    go = "1.25.8";
+    helm = "3.14.1";
+    jq = "1.8.1";
+    kubectl = "1.35.2";
+    kubectx = "0.9.4";
+    minikube = "1.37.0";
+    neovim = "stable";
+    node = "23.9.0";
+    opentofu = "1.11.5";
+    packer = "1.15.0";
+    python = "3.13.12";
+    shellcheck = "0.11.0";
+    sops = "3.12.1";
+    task = "3.49.1";
+    terraform = "1.9.8";
+    terraform-docs = "0.21.0";
+    tflint = "0.55.1";
+    tmux = "3.6a";
+    trivy = "0.69.3";
+    yq = "4.52.4";
+  };
+in
+{
+  # Keep version ownership centralized in mise, not mixed across package managers.
+  programs.mise.enable = true;
+
+  # Ensure the executable is present even when the HM program module does not add it.
+  home.packages = [ pkgs.mise ];
+
+  xdg.configFile."mise/config.toml".text = lib.concatStringsSep "\n"
+    (
+      [ "[tools]" ]
+      ++ map (name: "${name} = \"${runtimeTools.${name}}\"")
+        (builtins.attrNames runtimeTools)
+    ) + "\n";
+}