Add development shell

.editorconfig

@@ -19,3 +19,7 @@ trim_trailing_whitespace = unset
 [*.{yml,yaml}]
 indent_style = space
 indent_size = 2
+
+[*.{nix}]
+indent_style = space
+indent_size = 2

.github/dependabot.yml

@@ -1,5 +1,4 @@
 version: 2
-
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"

.github/workflows/ci.yml

@@ -0,0 +1,18 @@
+name: CI
+on:
+  - pull_request
+  - push
+  - workflow_dispatch
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: Check formatting
+        run: nix-shell --run 'just format-check'

.github/workflows/gitleaks.yml

@@ -1,12 +1,10 @@
 name: Gitleaks
-
 on:
   pull_request:
   push:
   workflow_dispatch:
   schedule:
-  - cron: "0 0 * * *" # Every day at 12:00 AM
-
+    - cron: "0 0 * * *" # Every day at 12:00 AM
 jobs:
   scan:
     name: Scan

.github/workflows/maintenance.yml

@@ -1,10 +1,8 @@
 name: "Maintenance"
-
 on:
   workflow_dispatch:
   schedule:
-  - cron: "0 0 * * FRI" # Every Friday at 12:00 AM
-
+    - cron: "0 0 * * FRI" # Every Friday at 12:00 AM
 jobs:
   update-pinned-inputs:
     name: "Update pinned flake inputs"

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: format
+        name: Enforce code formatting (just format)
+        entry: just format
+        language: system
+        pass_filenames: false
+        always_run: true
+        stages: [pre-commit]

.sops.yaml

@@ -5,29 +5,28 @@ keys:
   - &system_patchcloud age1275h9hxrg7a0j93nnv50zj6wtzxnkf5238p5f5xfv4q4ju0gn4jq884tqh
   - &system_patchmini age1k3yjaw2qjs9y4a3t6z3q93hlj3qnw436wvvxnu9sq0x4y53gd3fq8gl534
   - &system_patchshell age168844yw9thh0n3g9g892su0p6fef76w2y3pdgsm247mvwxzza48qnlnzue
-
 creation_rules:
   - path_regex: secrets\.yaml
     key_groups:
-    - age:
-      - *patchouli
-      - *system_patchberry
-      - *system_patchbox
-      - *system_patchcloud
-      - *system_patchmini
-      - *system_patchshell
+      - age:
+          - *patchouli
+          - *system_patchberry
+          - *system_patchbox
+          - *system_patchcloud
+          - *system_patchmini
+          - *system_patchshell
   - path_regex: secrets\/patchbox\.yaml
     key_groups:
-    - age:
-      - *patchouli
-      - *system_patchbox
+      - age:
+          - *patchouli
+          - *system_patchbox
   - path_regex: secrets\/patchcloud\.yaml
     key_groups:
-    - age:
-      - *patchouli
-      - *system_patchcloud
+      - age:
+          - *patchouli
+          - *system_patchcloud
   - path_regex: secrets\/patchshell\.yaml
     key_groups:
-    - age:
-      - *patchouli
-      - *system_patchshell
+      - age:
+          - *patchouli
+          - *system_patchshell

README.md

@@ -6,78 +6,95 @@
 	</a>
 </div>
 
-&nbsp;
+&#160;
 
 :construction: Declarative system configurations for my NixOS, macOS (Darwin), and Windows (WSL) machines. :construction:
 
-
 ## Systems
+
 The following systems are managed via this flake:
 
-| Host       | OS             | Arch    | Description                                                  |
+| Host | OS | Arch | Description |
 |------------|----------------|---------|--------------------------------------------------------------|
-| patchberry | NixOS          | aarch64 | An ancient Raspberry Pi Model B.                             |
-| patchbox   | NixOS          | x86_64  | A personal server for myself and friends.                    |
-| patchcloud | NixOS (VM)     | x86_64  | A VPS for tailscale egress/ingress, reverse-DNS, etc.        |
-| patchmini  | macOS (Darwin) | aarch64 | A spare M1 Mac Mini I have lying around to tinker with.      |
-| patchshell | Windows (WSL)  | x86_64  | A NixOS install running under Windows on my primary desktop. |
-
+| patchberry | NixOS | aarch64 | An ancient Raspberry Pi Model B. |
+| patchbox | NixOS | x86_64 | A personal server for myself and friends. |
+| patchcloud | NixOS (VM) | x86_64 | A VPS for tailscale egress/ingress, reverse-DNS, etc. |
+| patchmini | macOS (Darwin) | aarch64 | A spare M1 Mac Mini I have lying around to tinker with. |
+| patchshell | Windows (WSL) | x86_64 | A NixOS install running under Windows on my primary desktop. |
 
 ## Installation
+
 The installation for a given system configuration varies depending on the underlying operating system.
 
 ### Windows (WSL)
+
 1. Enable WSL if you haven't done so already.
+
 ```powershell
 wsl --install --no-distribution
 ```
+
 2. Download the latest release of `nixos.wsl` from the [NixOS-WSL](https://github.com/nix-community/NixOS-WSL) repository [here](https://github.com/nix-community/NixOS-WSL/releases/latest).
-3. Double-click `nixos.wsl` (requires WSL >= 2.4.4).
-4. Run NixOS under WSL.
+1. Double-click `nixos.wsl` (requires WSL >= 2.4.4).
+1. Run NixOS under WSL.
+
 ```powershell
 wsl -d NixOS
 ```
+
 5. Clone the repository (in NixOS) and navigate to its root.
-6. Ensure secret management is configured correctly. See [here](https://michael.stapelberg.ch/posts/2025-08-24-secret-management-with-sops-nix/) for details.
-7. Build the system configuration of your choosing and switch.
+1. Ensure secret management is configured correctly. See [here](https://michael.stapelberg.ch/posts/2025-08-24-secret-management-with-sops-nix/) for details.
+1. Build the system configuration of your choosing and switch.
+
 ```bash
 sudo nixos-rebuild switch --flake .#<system>
 ```
+
 8. Done! See [Usage](#usage) for details.
 
 ### macOS (Darwin)
+
 1. Download and install Nix using the [Nix installer from Determinate Systems](https://github.com/DeterminateSystems/nix-installer). Upstream Nix is strongly recommended.
+
 ```zsh
 curl -fsSL https://install.determinate.systems/nix | sh -s -- install --prefer-upstream-nix
 ```
+
 2. Install Rosetta if you haven't done so already and restart the Nix daemon.
+
 ```zsh
 sudo /usr/sbin/softwareupdate --install-rosetta && launchctl stop org.nixos.nix-daemon
 ```
+
 3. Clone the repository and navigate to its root.
-4. Ensure secret management is configured correctly. See [here](https://michael.stapelberg.ch/posts/2025-08-24-secret-management-with-sops-nix/) for details.
-5. Build the system configuration of your choosing and switch. This will simultaneously install nix-darwin.
+1. Ensure secret management is configured correctly. See [here](https://michael.stapelberg.ch/posts/2025-08-24-secret-management-with-sops-nix/) for details.
+1. Build the system configuration of your choosing and switch. This will simultaneously install nix-darwin.
+
 ```zsh
 sudo nix run nix-darwin/nix-darwin-25.11#darwin-rebuild -- switch --flake .#<system>
 ```
-6. Done! See [Usage](#usage) for details.
 
+6. Done! See [Usage](#usage) for details.
 
 ## Usage
-Using this flake once a system is up is simple. Run `just` from the repository root for a list of commands.
 
+Using this flake once a system is up is simple. Run `just` from the repository root for a list of commands.
+If you don't have a system up (for whatever reason), run `nix-shell` to enter a development shell and then run `just`.
 
 ## Acknowledgements
+
 Special thanks to these repositories and their owners/contributors for inspiration:
+
 - [isabelroses/dotfiles](https://github.com/isabelroses/dotfiles)
 - [Misterio77/nix-config](https://github.com/Misterio77/nix-config)
 - [uncenter/flake](https://github.com/uncenter/flake)
 - *and others.*
 
 As well as a few blog posts and articles, such as:
+
 - [Secret Management on NixOS with sops-nix](https://michael.stapelberg.ch/posts/2025-08-24-secret-management-with-sops-nix/) by Michael Stapelberg
 - *and others.*
 
-
 ## License
+
 This flake is licensed under the MIT license. See `LICENSE` for full details.

flake.nix

@@ -1,52 +1,52 @@
 {
-	inputs = {
-		nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
-
-		nixos-wsl = {
-			url = "github:nix-community/NixOS-WSL/release-25.11";
-			inputs.nixpkgs.follows = "nixpkgs";
-		};
-
-		home-manager = {
-			url = "github:nix-community/home-manager/release-25.11";
-			inputs.nixpkgs.follows = "nixpkgs";
-		};
-
-		stylix = {
-			url = "github:nix-community/stylix/release-25.11";
-			inputs.nixpkgs.follows = "nixpkgs";
-		};
-
-		disko = {
-			url = "github:nix-community/disko";
-			inputs.nixpkgs.follows = "nixpkgs";
-		};
-
-		nix-darwin = {
-			url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
-			inputs.nixpkgs.follows = "nixpkgs";
-		};
-
-		flake-parts = {
-			url = "github:hercules-ci/flake-parts";
-			inputs.nixpkgs-lib.follows = "nixpkgs";
-		};
-
-		sops-nix = {
-			url = "github:Mic92/sops-nix";
-			inputs.nixpkgs.follows = "nixpkgs";
-		};
-
-		easy-hosts.url = "github:isabelroses/easy-hosts";
-		
-		apple-fonts.url = "github:Lyndeno/apple-fonts.nix";
-
-		nix-minecraft.url = "github:Infinidoge/nix-minecraft";
-	};
-
-	outputs =
-		inputs:
-		inputs.flake-parts.lib.mkFlake { inherit inputs; } {
-			imports = [ ./systems ];
-		};
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+
+    nixos-wsl = {
+      url = "github:nix-community/NixOS-WSL/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    home-manager = {
+      url = "github:nix-community/home-manager/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    stylix = {
+      url = "github:nix-community/stylix/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nix-darwin = {
+      url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    flake-parts = {
+      url = "github:hercules-ci/flake-parts";
+      inputs.nixpkgs-lib.follows = "nixpkgs";
+    };
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    easy-hosts.url = "github:isabelroses/easy-hosts";
+
+    apple-fonts.url = "github:Lyndeno/apple-fonts.nix";
+
+    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
+  };
+
+  outputs =
+    inputs:
+    inputs.flake-parts.lib.mkFlake { inherit inputs; } {
+      imports = [ ./systems ];
+    };
 }

home/default.nix

@@ -1,12 +1,12 @@
 { ... }:
 {
-	imports = [
-		./programs
-		./wayland
-		./fonts.nix
-		./packages.nix
-	];
+  imports = [
+    ./programs
+    ./wayland
+    ./fonts.nix
+    ./packages.nix
+  ];
 
-	# Use XDG directories whenever supported.
-	home.preferXdgDirectories = true;
+  # Use XDG directories whenever supported.
+  home.preferXdgDirectories = true;
 }