include $(PWD)/src/toolchain/Makefile BACKEND_TF := $(wildcard infra/backend/*.tf) MAIN_TF := $(wildcard infra/main/*.tf) ENVIRONMENT := production REGION := sfo3 ROOT_DIR := $(shell pwd) TERRAFORM := $(ROOT_DIR)/out/terraform SOPS := $(ROOT_DIR)/out/sops GO := cache/fetch/go/bin/go KEYS := \ 6B61ECD76088748C70590D55E90A401336C8AAA9 \ 88823A75ECAA786B0FF38B148E401478A3FBEF72 \ 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA .DEFAULT_GOAL := .PHONY: default default: \ toolchain \ $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \ $(OUT_DIR)/website/.well-known/openpgpkey \ apply .PHONY: clean: rm -rf $(CACHE_DIR) .PHONY: credentials: \ $(CACHE_DIR)/secrets/credentials.tfvars $(KEY_DIR)/%.asc: $(call fetch_pgp_key,$(basename $(notdir $@))) $(OUT_DIR)/website/.well-known/openpgpkey: $(call toolchain," \ sq wkd \ generate $(OUT_DIR)/website distrust.co \ <(cat $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS))) \ ") $(OUT_DIR)/website/index.html: \ $(OUT_DIR)/website/.well-known/openpgpkey $(call toolchain," \ cd $(SRC_DIR)/website \ && jekyll build \ && cp -R _site/* /home/build/out/website/ \ ") infra/backend/.terraform: \ $(TERRAFORM) \ $(BACKEND_TF) $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/backend $(TERRAFORM) init -upgrade \ ' infra/main/.terraform: | \ $(TERRAFORM) \ config/$(ENVIRONMENT).tfbackend \ $(MAIN_TF) $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/main $(TERRAFORM) init -upgrade \ -backend-config="../../config/$(ENVIRONMENT).tfbackend" \ ' infra/backend/$(ENVIRONMENT).tfstate: \ $(TERRAFORM) \ $(SOPS) \ infra/backend/.terraform $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/backend \ $(TERRAFORM) apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state ../../$@ \ ' config/$(ENVIRONMENT).tfbackend: | \ $(TERRAFORM) \ $(SOPS) \ # File is not committed and this has no shared state $(MAKE) infra/backend/$(ENVIRONMENT).tfstate $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/backend \ $(TERRAFORM) \ output -state ../../$< \ > $@ \ ' .PHONY: apply: \ $(TERRAFORM) \ $(SOPS) \ infra/main/.terraform $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml) $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/main \ $(TERRAFORM) apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ ' $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) $(CACHE_DIR)/secrets: mkdir -p $@ $(FETCH_DIR)/go: mkdir -p $@ $@.tmp wget https://go.dev/dl/$(GO_VERSION).src.tar.gz -O $@.tmp/$(GO_VERSION).src.tar.gz echo "$(GO_HASH) $@.tmp/$(GO_VERSION).src.tar.gz" | sha256sum --strict --check - # Verify tar file is still in same format from 1.20.x tar -x go/VERSION -f $@.tmp/$(GO_VERSION).src.tar.gz -O > /dev/null tar -xf $@.tmp/$(GO_VERSION).src.tar.gz -C $(FETCH_DIR) rm -r $@.tmp $(FETCH_DIR)/terraform: $(call git_clone,$@,$(TERRAFORM_REPO),$(TERRAFORM_REF)) $(FETCH_DIR)/sops: $(call git_clone,$@,$(SOPS_REPO),$(SOPS_REF)) $(FETCH_DIR)/talosctl: $(call git_clone,$@,$(TALOSCTL_REPO),$(TALOSCTL_REF)) $(FETCH_DIR)/kubectl: $(call git_clone,$@,$(KUBECTL_REPO),$(KUBECTL_REF)) $(FETCH_DIR)/go/bin/go: $(FETCH_DIR)/go $(call toolchain," \ cd $(FETCH_DIR)/go/src && \ ./make.bash \ ") $(OUT_DIR)/terraform: $(FETCH_DIR)/terraform $(GO) $(call toolchain," \ cd $(FETCH_DIR)/terraform && \ export SSL_CERT_DIR=/etc/ssl/certs && \ export CGO_ENABLED=0 && \ export GOCACHE=/home/build/$(CACHE_DIR) && \ export GOPATH=/home/build/$(CACHE_DIR) && \ /home/build/$(GO) build \ -v \ -trimpath \ -ldflags='-w -extldflags=-static' \ -o /home/build/$@ \ ") $(OUT_DIR)/sops: $(FETCH_DIR)/sops $(GO) $(call toolchain," \ cd $(FETCH_DIR)/sops && \ export CGO_ENABLED=0 && \ export GOCACHE=/home/build/$(CACHE_DIR) && \ export GOPATH=/home/build/$(CACHE_DIR) && \ /home/build/$(GO) build \ -v \ -trimpath \ -ldflags='-w -extldflags=-static' \ -o /home/build/$@ $(SOPS_PKG) \ ") $(OUT_DIR)/talosctl: $(FETCH_DIR)/talosctl $(GO) $(call toolchain," \ cd $(FETCH_DIR)/talosctl && \ export CGO_ENABLED=0 && \ export GOCACHE=/home/build/$(CACHE_DIR) && \ export GOPATH=/home/build/$(CACHE_DIR) && \ /home/build/$(GO) build \ -v \ -trimpath \ -ldflags='-w -extldflags=-static' \ -o /home/build/$@ $(TALOSCTL_PKG) \ ") $(OUT_DIR)/kubectl: $(FETCH_DIR)/kubectl $(GO) $(call toolchain," \ cd $(FETCH_DIR)/kubectl && \ export CGO_ENABLED=0 && \ export GOCACHE=/home/build/$(CACHE_DIR) && \ export GOPATH=/home/build/$(CACHE_DIR) && \ /home/build/$(GO) build \ -v \ -trimpath \ -ldflags='-w -extldflags=-static' \ -o /home/build/$@ $(KUBECTL_PKG) \ ") # Note: Decryption MUST reset the mod time to avoid encryption/decryption loops # Encrypt if: # - Both files exist, local is newer than remote # - Only local exists define maybe_encrypt_secret test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \ \( -f $(1) -a ! -f $(2) \) && \ $(SOPS) --encrypt $(1) > $(2) || true endef # Only decrypt when local files don't exist # Unfortunately, this means we can't decrypt if the secrets update. We can't # do that because otherwise it creates a loop. The secrets update, therefore we # decrypt secrets, but because the modtime of the decrypted secrets is newer # than the encrypted secrets, we want to reencrypt encrypted secrets. define maybe_decrypt_secret test -f $(1) -a ! -f $(2) && \ $(SOPS) --decrypt $(1) > $(2) && \ touch -d 1970-01-01 $(2) || \ true endef