From b0af29b69224c8abd3e5b9150eac24bd8ad29c35 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Tue, 21 Oct 2025 23:34:22 -0700 Subject: [PATCH] Update make commands to expect to be in shell --- Makefile | 176 +++++++++++++++++++++---------------------------------- 1 file changed, 68 insertions(+), 108 deletions(-) diff --git a/Makefile b/Makefile index 95142cf..ecc43f9 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,6 @@ MAIN_TF := $(wildcard infra/main/*.tf) ENVIRONMENT := production REGION := sfo3 ROOT_DIR := $(shell pwd) -OUT_DIGEST := out/tools-image.digest KEYS := \ 6B61ECD76088748C70590D55E90A401336C8AAA9 \ 88823A75ECAA786B0FF38B148E401478A3FBEF72 \ @@ -19,6 +18,7 @@ PLATFORM ?= linux/amd64 PROGRESS ?= auto REGISTRY ?= git.distrust.co/public VERSION := latest +SHELL=/bin/bash SOPS := sops ifeq ($(NOCACHE), 1) @@ -30,11 +30,12 @@ export NOCACHE_FLAG include $(PWD)/src/make/macros.mk +.ONESHELL: + .DEFAULT_GOAL := .PHONY: default default: \ - tools \ - apply + tofu-apply .PHONY: clean clean: @@ -43,10 +44,6 @@ clean: out: mkdir out -.PHONY: update-tools -update-tools: - ./src/make/update.sh - .PHONY: shell shell: build-tools load-tools $(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash) @@ -55,97 +52,49 @@ shell: build-tools load-tools credentials: \ $(CACHE_DIR)/secrets/credentials.tfvars -$(KEY_DIR)/%.asc: - $(call fetch_pgp_key,$(basename $(notdir $@))) +infra/backend/.terraform: $(BACKEND_TF) + sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ + tofu -chdir=infra/backend init -upgrade && \ + tofu -chdir=infra/backend refresh \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + -state $(ENVIRONMENT).tfstate' -$(OUT_DIR)/website/.well-known/matrix/client \ -$(OUT_DIR)/website/.well-known/matrix/server: - mkdir -p $(OUT_DIR)/website/.well-known/matrix - cp -R \ - $(SRC_DIR)/well-known/matrix/* \ - $(OUT_DIR)/website/.well-known/matrix/ - -$(OUT_DIR)/website/.well-known/openpgpkey: - $(call toolchain," \ - sq wkd \ - generate $(OUT_DIR)/website distrust.co \ - <(cat $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS))) \ - ") - -$(CACHE_DIR)/website/index.html: \ - $(CACHE_DIR)/website/.well-known/openpgpkey \ - $(CACHE_DIR)/website/.well-known/matrix/server \ - $(CACHE_DIR)/website/.well-known/matrix/client - $(call toolchain," \ - cd $(SRC_DIR)/website \ - && jekyll build \ - && cp -R _site/* /home/build/out/website/ \ - ") - -infra/backend/.terraform: out/tools-image.digest $(BACKEND_TF) - $(call run-container, \ - -v $(PWD)/secrets:/secrets \ - -v $(PWD)/infra:/infra, \ - $(shell cat out/tools-image.digest), \ - sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ - tofu -chdir=/infra/backend init -upgrade && \ - tofu -chdir=/infra/backend refresh \ - -var environment=$(ENVIRONMENT) \ - -var namespace=$(ENVIRONMENT) \ - -var region=$(REGION) \ - -state $(ENVIRONMENT).tfstate' \ - ) - -infra/main/.terraform: out/tools-image.digest \ +infra/main/.terraform: \ config/$(ENVIRONMENT).tfbackend \ $(MAIN_TF) - $(call run-container, \ - -v $(PWD)/secrets:/secrets \ - -v $(PWD)/infra:/infra, \ - $(shell cat out/tools-image.digest), \ - sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ - tofu -chdir=/infra/main init -upgrade \ - -backend-config="../../config/$(ENVIRONMENT).tfbackend" && \ - tofu -chdir=/infra/main refresh \ - -var environment=$(ENVIRONMENT) \ - -var namespace=$(ENVIRONMENT) \ - -var region=$(REGION) \ - -state $(ENVIRONMENT).tfstate' \ - ) + sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ + tofu -chdir=infra/main init -upgrade \ + -backend-config="../../config/$(ENVIRONMENT).tfbackend" && \ + tofu -chdir=infra/main refresh \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + -state $(ENVIRONMENT).tfstate' -infra/backend/$(ENVIRONMENT).tfstate: out/tools-image.digest infra/backend/.terraform - $(call run-container, \ - -v $(PWD)/secrets:/secrets \ - -v $(PWD)/infra:/infra, \ - $(shell cat out/tools-image.digest), \ - sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ - tofu -chdir=/infra/backend apply \ - -var environment=$(ENVIRONMENT) \ - -var namespace=$(ENVIRONMENT) \ - -var region=$(REGION) \ - -state $(ENVIRONMENT).tfstate' \ - ) +infra/backend/$(ENVIRONMENT).tfstate: infra/backend/.terraform + sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ + tofu -chdir=infra/backend apply \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + -state $(ENVIRONMENT).tfstate' -config/$(ENVIRONMENT).tfbackend: $(OUT_DIGEST) infra/backend/$(ENVIRONMENT).tfstate - $(call run-container, \ - -v $(PWD)/secrets:/secrets \ - -v $(PWD)/infra:/infra, \ - $(shell cat $(OUT_DIGEST)), \ - sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ - tofu -chdir=/infra/backend output \ - -state $(ENVIRONMENT).tfstate > $@ && \ - tofu -chdir=/infra/backend refresh \ - -var environment=$(ENVIRONMENT) \ - -var namespace=$(ENVIRONMENT) \ - -var region=$(REGION) \ - -state $(ENVIRONMENT).tfstate' \ - ) +config/$(ENVIRONMENT).tfbackend: infra/backend/$(ENVIRONMENT).tfstate + sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ + tofu -chdir=infra/backend output \ + -state $(ENVIRONMENT).tfstate > $@ && \ + tofu -chdir=infra/backend refresh \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + -state $(ENVIRONMENT).tfstate' build-%: REVISION = $(shell git rev-list -1 HEAD -- images/$*) build-%: SOURCE_DATE_EPOCH = $(shell git log -1 --format=%ct $(REVISION)) build-%: images/tools/Containerfile | out export SOURCE_DATE_EPOCH - cd images/tools $(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION)) load-%: build-% @@ -156,28 +105,31 @@ push-%: build-% load-% out/tools-image.digest: out build-tools -.PHONY: plan -plan: out/tools-image.digest - $(call run-container, \ - -v $(PWD)/secrets:/secrets -v $(PWD)/infra:/infra, \ - $(shell cat $<), \ - sops exec-env /secrets/$(ENVIRONMENT).enc.env -- \ - 'tofu -chdir=/infra/main plan \ - -var environment=$(ENVIRONMENT) \ - -var namespace=$(ENVIRONMENT) \ - -var region=$(REGION)' \ - ) +infra/main/talos: + mkdir -p $@ -.PHONY: new-apply -new-apply: out/tools-image.digest - $(call run-container,'\ - echo $$GPG_AGENT_INFO; \ - ls -l /S.gpg-agent; \ - gpg --verbose --list-keys \ - ') +infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos + $(SOPS) --decrypt $< > $@ -.PHONY: -apply: \ +.PHONY: tofu-plan +tofu-plan: infra/main/.terraform + $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig) + $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig) + $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml) + $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml) + sops exec-env secrets/$(ENVIRONMENT).enc.env -- \ + 'tofu -chdir=infra/main plan \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + $(EXTRA_ARGS)' + $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) + $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) + $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) + $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) + +.PHONY: tofu-apply +tofu-apply: \ $(TERRAFORM) \ $(SOPS) \ infra/main/.terraform @@ -197,6 +149,14 @@ apply: \ $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) +kustomizations/%/out.yaml: kustomizations/% + env -C kustomizations/$(TARGET) -- kustomize build --enable-alpha-plugins . > $@ + +.PHONY: k8s-apply +k8s-apply: kustomizations/$(TARGET)/out.yaml + sops exec-file --no-fifo "$${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/kubectl apply -f $<" + rm $< + $(CACHE_DIR)/secrets: mkdir -p $@