main
..
README.md
rw-r--r--
3.2 KB
TEST.md
rw-r--r--
1.2 KB
deployment-guard.ts
rw-r--r--
3.8 KB
secrets-validator.ts
rw-r--r--
5.7 KB

Homelab Pi Extensions

Project-local extensions for the NixOS homelab repository. These extensions provide safety guards, build validation, and context awareness for managing NixOS configurations.

Extensions

deployment-guard.ts

Prevents accidental deployments to production hosts.

Features:

  • Detects deployment commands (make switch, make boot, etc.)
  • Requires confirmation for production host deployments
  • Shows git status to ensure clean state
  • Suggests dry-build before deployment
  • Integrates with production host list from globals.nix

Production hosts:

  • rhea (NixOS server)
  • atlas (VPS)

Usage:

# Will prompt for confirmation:
make host/rhea/switch

# Will suggest dry-build first:
make switch

# Will warn about uncommitted changes

secrets-validator.ts

Prevents committing unencrypted secrets to the repository.

Features:

  • Scans staged files for potential secrets
  • Detects API keys, passwords, tokens, private keys
  • Validates agenix secrets are properly encrypted
  • Provides /scan-secrets command for manual scanning

Detected patterns:

  • API keys and secret keys
  • Passwords and tokens
  • AWS access keys
  • Private key headers

Commands:

  • /scan-secrets - Scan entire repository for potential secrets

Usage:

# Will warn before commit if secrets detected:
git commit -m "..."

# Manual scan:
/scan-secrets

Installation

These extensions are automatically loaded when working in the homelab repository (/home/vincent/src/home). They are not loaded in other projects.

To disable an extension, either:

  1. Remove or rename the .ts file
  2. Move it to a subdirectory (only index.ts files in subdirectories are loaded)

Integration with Global Extensions

The homelab also uses global extensions from ~/.pi/agent/extensions/:

  • sandbox - OS-level sandboxing (disabled with --no-sandbox)
  • validate-git-push - Git push safety (existing extension)
  • auto-theme - Automatic theme switching
  • custom-footer - Custom status bar
  • And others…

When working in the homelab, both global and project-local extensions are active.

Configuration

Deployment Guard

Edit the PRODUCTION_HOSTS array in deployment-guard.ts to add/remove production hosts:

const PRODUCTION_HOSTS = [
	"rhea", // NixOS server
	"atlas", // VPS
	// Add more hosts here
];

Secrets Validator

Edit the SECRET_PATTERNS array to customize secret detection:

const SECRET_PATTERNS = [
	{ name: "API Key", pattern: /api[_-]?key\s*[:=]\s*["']?[a-zA-Z0-9]{20,}["']?/i },
	// Add more patterns here
];

Edit the FALSE_POSITIVES array to reduce false alarms:

const FALSE_POSITIVES = [
	/password.*example/i,
	// Add more patterns here
];

Development

Extensions are written in TypeScript and loaded via jiti, so no compilation is needed.

To reload extensions after editing:

/reload

To test an extension in isolation:

pi -e .pi/extensions/deployment-guard.ts

See Also