💄(gh): Update Trunk configuration and re-lint everything

Signed-off-by: Alexandre Nicolaie <xunleii@users.noreply.github.com>

.devcontainer/config/etc.docker.registry.config.yaml

@@ -15,22 +15,22 @@
 ---
 version: 0.1
 log:
-    fields:
-        service: registry
+  fields:
+    service: registry
 storage:
-    delete:
-        enabled: true
-    cache:
-        blobdescriptor: inmemory
-    filesystem:
-        rootdirectory: /var/lib/registry
+  delete:
+    enabled: true
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry
 http:
-    addr: :80
-    headers:
-        X-Content-Type-Options: [nosniff]
-        Access-Control-Allow-Origin: ["*"]
-        Access-Control-Allow-Methods: [HEAD, GET, OPTIONS, DELETE]
-        Access-Control-Allow-Headers: [Authorization, Accept]
-        Access-Control-Max-Age: [1728000]
-        Access-Control-Allow-Credentials: [true]
-        Access-Control-Expose-Headers: [Docker-Content-Digest]
+  addr: :80
+  headers:
+    X-Content-Type-Options: [nosniff]
+    Access-Control-Allow-Origin: ["*"]
+    Access-Control-Allow-Methods: [HEAD, GET, OPTIONS, DELETE]
+    Access-Control-Allow-Headers: [Authorization, Accept]
+    Access-Control-Max-Age: [1728000]
+    Access-Control-Allow-Credentials: [true]
+    Access-Control-Expose-Headers: [Docker-Content-Digest]

.devcontainer/devcontainer-lock.json

@@ -1,24 +1,24 @@
 {
-  "features": {
-    "ghcr.io/devcontainers-extra/features/direnv:1.0.2": {
-      "version": "1.0.2",
-      "resolved": "ghcr.io/devcontainers-extra/features/direnv@sha256:c79d9689ff46f7a216d486966e49f420199b68eebd56af182366f12b0aafc02d",
-      "integrity": "sha256:c79d9689ff46f7a216d486966e49f420199b68eebd56af182366f12b0aafc02d"
-    },
-    "ghcr.io/devcontainers/features/common-utils:2.5.2": {
-      "version": "2.5.2",
-      "resolved": "ghcr.io/devcontainers/features/common-utils@sha256:5b1c376d30719a4dead8fb2f272ee496cfb506f2f92b7acf9e1c24cb5399ba7d",
-      "integrity": "sha256:5b1c376d30719a4dead8fb2f272ee496cfb506f2f92b7acf9e1c24cb5399ba7d"
-    },
-    "ghcr.io/devcontainers/features/docker-outside-of-docker:1.6.0": {
-      "version": "1.6.0",
-      "resolved": "ghcr.io/devcontainers/features/docker-outside-of-docker@sha256:63dc56535ecaed989f2e6c8ca04acb5012999cd0e19f125504350b2e075b0c2c",
-      "integrity": "sha256:63dc56535ecaed989f2e6c8ca04acb5012999cd0e19f125504350b2e075b0c2c"
-    },
-    "ghcr.io/devcontainers/features/nix:1.3.0": {
-      "version": "1.3.0",
-      "resolved": "ghcr.io/devcontainers/features/nix@sha256:c221c8d50bb9c31444f376627541b25ff3c26c96aa79be1b60be8ccefe85fb70",
-      "integrity": "sha256:c221c8d50bb9c31444f376627541b25ff3c26c96aa79be1b60be8ccefe85fb70"
-    }
-  }
-}
+	"features": {
+		"ghcr.io/devcontainers-extra/features/direnv:1.0.2": {
+			"version": "1.0.2",
+			"resolved": "ghcr.io/devcontainers-extra/features/direnv@sha256:c79d9689ff46f7a216d486966e49f420199b68eebd56af182366f12b0aafc02d",
+			"integrity": "sha256:c79d9689ff46f7a216d486966e49f420199b68eebd56af182366f12b0aafc02d"
+		},
+		"ghcr.io/devcontainers/features/common-utils:2.5.2": {
+			"version": "2.5.2",
+			"resolved": "ghcr.io/devcontainers/features/common-utils@sha256:5b1c376d30719a4dead8fb2f272ee496cfb506f2f92b7acf9e1c24cb5399ba7d",
+			"integrity": "sha256:5b1c376d30719a4dead8fb2f272ee496cfb506f2f92b7acf9e1c24cb5399ba7d"
+		},
+		"ghcr.io/devcontainers/features/docker-outside-of-docker:1.6.0": {
+			"version": "1.6.0",
+			"resolved": "ghcr.io/devcontainers/features/docker-outside-of-docker@sha256:63dc56535ecaed989f2e6c8ca04acb5012999cd0e19f125504350b2e075b0c2c",
+			"integrity": "sha256:63dc56535ecaed989f2e6c8ca04acb5012999cd0e19f125504350b2e075b0c2c"
+		},
+		"ghcr.io/devcontainers/features/nix:1.3.0": {
+			"version": "1.3.0",
+			"resolved": "ghcr.io/devcontainers/features/nix@sha256:c221c8d50bb9c31444f376627541b25ff3c26c96aa79be1b60be8ccefe85fb70",
+			"integrity": "sha256:c221c8d50bb9c31444f376627541b25ff3c26c96aa79be1b60be8ccefe85fb70"
+		}
+	}
+}

.lefthook.yaml

@@ -19,30 +19,30 @@
 
 assert_lefthook_installed: true
 output:
-    - meta # Show meta information about lefthook (version, etc.)
-    - summary # Show summary block (successful and failed steps) printing
-    - empty_summary # Show summary heading when there are no steps to run
-    - success # Show successful steps printing
-    - failure # Show failed steps printing
-    - execution_out # Show printing execution output
-    - skips # Show "skip" printing (i.e. no files matched)
+  - meta # Show meta information about lefthook (version, etc.)
+  - summary # Show summary block (successful and failed steps) printing
+  - empty_summary # Show summary heading when there are no steps to run
+  - success # Show successful steps printing
+  - failure # Show failed steps printing
+  - execution_out # Show printing execution output
+  - skips # Show "skip" printing (i.e. no files matched)
 
 commit-msg:
-    commands:
-        commitlint-check:
-            run: commitlint --edit
+  commands:
+    commitlint-check:
+      run: commitlint --edit
 
 pre-push:
-    commands:
-        trunk-check:
-            run: trunk check --diff full --print-failures {push_files}
-    follow: true
-    parallel: true
+  commands:
+    trunk-check:
+      run: trunk check --diff full --print-failures {push_files}
+  follow: true
+  parallel: true
 
 pre-commit:
-    commands:
-        trunk-fmt:
-            run: trunk fmt --diff compact --print-failures {staged_files}
-            stage_fixed: true
-    follow: true
-    parallel: true
+  commands:
+    trunk-fmt:
+      run: trunk fmt --diff compact --print-failures {staged_files}
+      stage_fixed: true
+  follow: true
+  parallel: true

.trunk/configs/.hadolint.yaml

@@ -1,4 +1,4 @@
 ---
 # Following source doesn't work in most setups
 ignored:
-    - DL3025 # Use shell form of `CMD` and `ENTRYPOINT` for better readability
+  - DL3025 # Use shell form of `CMD` and `ENTRYPOINT` for better readability

.trunk/configs/.remarkrc.yaml

@@ -1,7 +1,7 @@
 ---
 plugins:
-  remark-preset-lint-consistent: true
-  remark-preset-lint-recommended: true
+  - remark-preset-lint-consistent
+  - remark-preset-lint-recommended
 
-  remark-gfm: true
-  remark-lint-list-item-indent: true
+  - remark-gfm
+  - remark-lint-list-item-indent

.trunk/trunk.yaml

@@ -3,20 +3,20 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.6
+  version: 1.22.8
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
     - id: trunk
-      ref: v1.6.3
+      ref: v1.6.5
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
   enabled:
-    - rust@1.71.1
-    - go@1.21.0
-    - node@18.12.1
-    - python@3.10.8
+    - rust@1.82.0
+    - go@1.23.3
+    - node@22.11.0
+    - python@3.12.2
 # This is the section where you override some tools' configurations.
 tools:
   definitions:
@@ -33,36 +33,35 @@ lint:
     - eslint
     - isort
     - markdown-table-prettify
-    - prettier
+    - nixpkgs-fmt # nixpkgs-fmt can't be built using the current devcontainer
     - rome
     - terrascan
     - trunk-toolbox
+    - yamllint # yamllint conflicts with prettier
   enabled:
-    - nixpkgs-fmt@1.3.0
-    - actionlint@1.7.3
-    - biome@1.9.3
-    - checkov@3.2.256
+    - actionlint@1.7.4
+    - biome@1.9.4
+    - checkov@3.2.296
     - git-diff-check
-    - hadolint@2.12.0
-    - markdown-link-check@3.12.2
+    - hadolint@2.12.1-beta
+    - markdown-link-check@3.13.6
     - markdownlint@0.42.0
-    - osv-scanner@1.9.0
+    - osv-scanner@1.9.1
     - oxipng@9.1.2
+    - prettier@3.3.3
     - remark-lint@12.0.1
-    - renovate@38.109.0
-    - ruff@0.6.8
+    - renovate@39.16.0
+    - ruff@0.7.3
     - shellcheck@0.10.0
     - shfmt@3.6.0
     - sort-package-json@2.10.1
     - svgo@3.3.2
     - taplo@0.9.3
-    - trivy@0.55.2
-    - trufflehog@3.82.6
-    - yamllint@1.35.1
+    - trivy@0.56.2
+    - trufflehog@3.83.6
   ignore:
     - # Architecture SVG diagram cannot be linted by svgo
-      linters:
-        - svgo
+      linters: [svgo]
       paths:
         - projects/nex.rpi/assets/architecture.svg
     - # DO NOT SCAN ANY FILES IN THE UNENCRYPTED KVSTORE
@@ -74,9 +73,19 @@ lint:
       linters:
         - shellcheck
         - shfmt
-        - yamllint
+        - prettier
       paths:
         - projects/chezmoi.sh/src/kubevault/**/*
+    - # Prettier should not lint/format markdown files (conflict with remark-lint)
+      linters: [prettier]
+      paths: ["*.md", "**/*.md"]
+    - # Prettier should not lint/format JS/JSON files (conflict with biome)
+      linters: [prettier]
+      paths: ["*.js", "**/*.js", "*.json", "**/*.json"]
+    - # Prettier should not lint/format templated YAML files
+      linters: [prettier]
+      paths:
+        - projects/nex.rpi/src/apps/nx-sso/live/production/configurations/authelia.yaml
 
   # This is the section where you override some linters' configurations.
   definitions:

CHANGELOG.md

@@ -91,7 +91,7 @@ This has some drawbacks as well:
 Still, I'm proud of this effort and think it's an excellent start. It was
 implemented in the live environment on **Q1 2024**, and it functions flawlessly
 and efficiently (the Raspberry Pi didn't use excessive power for inactive
-components most of the time, ~5.5Wh).
+components most of the time, \~5.5Wh).
 
 ## Bronze Age *(2024-2024 - A1)*
 
@@ -171,6 +171,7 @@ gained from the last one.
 > \[!IMPORTANT]
 >
 > * \[ ] **Everything MUST be declarative *(first GitOps rule)***
+>
 >   * I choose to use **Kubernetes as the orchestration** tool for this iteration.
 >     Because Kubernetes is a declarative system, I can specify the ideal state of
 >     the infrastructure and let it take care of the rest. Additionally, **it
@@ -236,13 +237,15 @@ probably be less consistent with my homelab management style.
 > \[!IMPORTANT]
 >
 > * \[ ] **Everything MUST be declarative *(first GitOps rule)***
+>
 >   * I continue to choose to use **Kubernetes as the orchestration** tool for
 >     this iteration.\
 >     Because Kubernetes is a declarative system, I can specify the ideal state
 >     of the infrastructure and let it take care of the rest.
 >
 >     It will likely result in a higher resource use on the Raspberry Pi, but
 >     overall, I believe the advantages outweigh the drawbacks.
+>
 >   * I need to find how I will handle Helm deployments in a declarative way.
 > * \[ ] **Everything MUST be versioned and immutable *(the second GitOps rule)***
 >   * Nothing changes for the versioned portion because I continue to utilize

DISASTER_RECOVERY_PLAN.md

@@ -37,20 +37,23 @@ In case of a hardware failure, we need to recover the **nex·rpi** instance by f
 When the **nex·rpi** instance is up and running, we need to bootstrap and deploy all the **nex·rpi** services.
 
 1. Bootstrap the **nex·rpi** Kubernetes instance:
+
    ```bash {"category":"disaster-recovery-plan","name":"DRP/nex·rpi (bootstrap)"}
    pushd ${ATLAS_DIR}/projects/nex.rpi
    just kubernetes bootstrap
    popd
    ```
 
 2. Deploy all the **nex·rpi** services:
+
    ```bash {"category":"disaster-recovery-plan","name":"DRP/nex·rpi"}
    pushd ${ATLAS_DIR}/projects/nex.rpi
    just kubernetes force-apply
    popd
    ```
 
 3. Deploy all "static" secrets:
+
    ```bash {"category":"disaster-recovery-plan","name":"DRP/vault.chezmoi.sh"}
    pushd ${ATLAS_DIR}/projects/chezmoi.sh
 
@@ -62,6 +65,7 @@ When the **nex·rpi** instance is up and running, we need to bootstrap and deplo
    ```
 
 4. Deploy the **chezmoi.sh** infrastructure *(required by nex·rpi)*:
+
    ```bash {"category":"disaster-recovery-plan","name":"DRP/chezmoi.sh (crossplane)"}
    pushd ${ATLAS_DIR}/projects/chezmoi.sh
    just crossplane generate-applyset || true