From 749f7993a70d9513cb5c859d7b67b8dd02943115 Mon Sep 17 00:00:00 2001
From: Truxnell <9149206+truxnell@users.noreply.github.com>
Date: Wed, 27 Mar 2024 08:30:59 +1100
Subject: [PATCH 1/2] fix: move to json5

---
 .github/{renovate.json => renovate.json5} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename .github/{renovate.json => renovate.json5} (87%)

diff --git a/.github/renovate.json b/.github/renovate.json5
similarity index 87%
rename from .github/renovate.json
rename to .github/renovate.json5
index b85454ab..0d728fa9 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json5
@@ -8,14 +8,14 @@
     "username": "trux-bot[bot]",
     "gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
     "repositories": ["truxnell/nix-config"],
-    "ignoreTests": false,
+    "ignoreTests": "false",
 
     // TODO remove once out of beta?
     // https://docs.renovatebot.com/modules/manager/nix/
     "nix": {
-        "enabled": true
+        "enabled": "true"
     },
     "lockFileMaintenance": {
-        "enabled": true
+        "enabled": "true"
       },
   }
\ No newline at end of file

From dd8c71717de5d8821327f605d1eb51b6cc23b6a9 Mon Sep 17 00:00:00 2001
From: Truxnell <9149206+truxnell@users.noreply.github.com>
Date: Wed, 27 Mar 2024 17:37:38 +1100
Subject: [PATCH 2/2] feat: probot repo settings sync

---
 .github/renovate.json5          |  3 --
 .github/settings.yaml           | 75 +++++++++++++++++++++++++++++++++
 .github/workflows/nix-lint.yaml |  2 +-
 .sops.yaml                      |  9 ++++
 README.md                       |  9 ++++
 Taskfile.yaml                   |  1 +
 garnix.yaml                     |  2 +
 partition.sh                    |  3 ++
 8 files changed, 100 insertions(+), 4 deletions(-)
 create mode 100644 .github/settings.yaml

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index 0d728fa9..ac372804 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -4,10 +4,7 @@
       "github>truxnell/renovate-config",
       "github>truxnell/renovate-config:automerge-github-actions",
     ],
-    "platform": "github",
-    "username": "trux-bot[bot]",
     "gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
-    "repositories": ["truxnell/nix-config"],
     "ignoreTests": "false",
 
     // TODO remove once out of beta?
diff --git a/.github/settings.yaml b/.github/settings.yaml
new file mode 100644
index 00000000..81424c55
--- /dev/null
+++ b/.github/settings.yaml
@@ -0,0 +1,75 @@
+# These settings are synced to GitHub by https://probot.github.io/apps/settings/
+
+repository:
+  # See https://docs.github.com/en/rest/reference/repos#update-a-repository for all available settings.
+
+  # The name of the repository. Changing this will rename the repository
+  name: nix-config
+
+  # A short description of the repository that will show up on GitHub
+  description: My nix & nixos home setup
+
+  # A URL with more information about the repository
+  # homepage: https://example.github.io/
+
+  # A comma-separated list of topics to set on the repository
+  topics: nix, nixos
+
+  # Either `true` to make the repository private, or `false` to make it public.
+  private: false
+
+  # Either `true` to enable issues for this repository, `false` to disable them.
+  has_issues: true
+
+  # Either `true` to enable projects for this repository, or `false` to disable them.
+  # If projects are disabled for the organization, passing `true` will cause an API error.
+  has_projects: false
+
+  # Either `true` to enable the wiki for this repository, `false` to disable it.
+  has_wiki: false
+
+  # Either `true` to enable downloads for this repository, `false` to disable them.
+  has_downloads: false
+
+  # Updates the default branch for this repository.
+  default_branch: main
+
+  # Either `true` to allow squash-merging pull requests, or `false` to prevent
+  # squash-merging.
+  allow_squash_merge: true
+
+  # Either `true` to allow merging pull requests with a merge commit, or `false`
+  # to prevent merging pull requests with merge commits.
+  allow_merge_commit: false
+
+  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+  # rebase-merging.
+  allow_rebase_merge: true
+
+  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+  delete_branch_on_merge: true
+
+  # Either `true` to enable automated security fixes, or `false` to disable
+  # automated security fixes.
+  enable_automated_security_fixes: false
+
+  # Either `true` to enable vulnerability alerts, or `false` to disable
+  # vulnerability alerts.
+  enable_vulnerability_alerts: true
+
+# Labels: define labels for Issues and Pull Requests
+# labels:
+#   - name: bug
+#     color: CC0000
+#     description: An issue with the system 🐛.
+
+#   - name: feature
+#     # If including a `#`, make sure to wrap it with quotes!
+#     color: '#336699'
+#     description: New functionality.
+
+#   - name: Help Wanted
+#     # Provide a new name to rename an existing label
+#     new_name: first-timers-only
+
+# TODO branch protection once nailed down.
\ No newline at end of file
diff --git a/.github/workflows/nix-lint.yaml b/.github/workflows/nix-lint.yaml
index 0cda545c..946a45a9 100644
--- a/.github/workflows/nix-lint.yaml
+++ b/.github/workflows/nix-lint.yaml
@@ -1,4 +1,4 @@
-name: Nix Flake Check
+name: Nix Lint
 
 on: [pull_request]
 
diff --git a/.sops.yaml b/.sops.yaml
index a2a60636..c5600d9c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,4 +1,13 @@
 ---
+# config files for sops & used for encrypting keys that sops-nix decrypts.
+# each machine key is derieved from its generated `ssh_hosts_ed` file
+# via ssh-to-age
+# sops encrypts the secrets ready to decrypt with the private key of any of the below machines
+# OR my 'main' key thats kept outside this repo securely.
+
+# key-per-machine is a little more secure and a little more work than
+# copying one key to each machine
+
 keys:
   - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
   - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
diff --git a/README.md b/README.md
index 676f0574..ee9526c8 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,15 @@ TBC
 
 TBC
 
+## Checklist
+
+### Adding new node
+
+- Add to #top in flake
+- Ensure secrets are grabbed from note and all sops re-encrypte with task sops:re-encrypt
+- Add to relevant github action workflows
+- Add to settings.yaml for PR checks
+
 ## Applying configuration changes on a local machine can be done as follows:
 
 ```sh
diff --git a/Taskfile.yaml b/Taskfile.yaml
index 0d805084..db2ec4d4 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -1,4 +1,5 @@
 ---
+# go-task runner file - rest of config in .taskfiles/**.*.yaml
 version: "3"
 
 includes:
diff --git a/garnix.yaml b/garnix.yaml
index e5e59347..a1250621 100644
--- a/garnix.yaml
+++ b/garnix.yaml
@@ -1,3 +1,5 @@
+---
+# Config for garnix.io builds & caching
 builds:
   include:
     - homeConfigurations.*
diff --git a/partition.sh b/partition.sh
index e592d8f8..1813c111 100644
--- a/partition.sh
+++ b/partition.sh
@@ -1,3 +1,6 @@
+## STILL WIP
+## Wanted to avoid bringing in complexity of disko
+
 #!/usr/bin/env bash
 set -x