Update make commands to expect to be in shell

Makefile

@@ -6,7 +6,6 @@ MAIN_TF := $(wildcard infra/main/*.tf)
 ENVIRONMENT := production
 REGION := sfo3
 ROOT_DIR := $(shell pwd)
-OUT_DIGEST := out/tools-image.digest
 KEYS := \
 	6B61ECD76088748C70590D55E90A401336C8AAA9 \
 	88823A75ECAA786B0FF38B148E401478A3FBEF72 \
@@ -19,6 +18,7 @@ PLATFORM ?= linux/amd64
 PROGRESS ?= auto
 REGISTRY ?= git.distrust.co/public
 VERSION := latest
+SHELL=/bin/bash
 SOPS := sops
 
 ifeq ($(NOCACHE), 1)
@@ -30,11 +30,12 @@ export NOCACHE_FLAG
 
 include $(PWD)/src/make/macros.mk
 
+.ONESHELL:
+
 .DEFAULT_GOAL :=
 .PHONY: default
 default: \
-	tools \
+	tofu-apply
-	apply
 
 .PHONY: clean
 clean:
@@ -43,10 +44,6 @@ clean:
 out:
 	mkdir out
 
-.PHONY: update-tools
-update-tools:
-	./src/make/update.sh
-
 .PHONY: shell
 shell: build-tools load-tools
 	$(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash)
@@ -55,97 +52,49 @@ shell: build-tools load-tools
 credentials: \
 	$(CACHE_DIR)/secrets/credentials.tfvars
 
-$(KEY_DIR)/%.asc:
+infra/backend/.terraform: $(BACKEND_TF)
-	$(call fetch_pgp_key,$(basename $(notdir $@)))
+	sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
+		tofu -chdir=infra/backend init -upgrade && \
+		tofu -chdir=infra/backend refresh \
+			-var environment=$(ENVIRONMENT) \
+			-var namespace=$(ENVIRONMENT) \
+			-var region=$(REGION) \
+			-state $(ENVIRONMENT).tfstate'
 
-$(OUT_DIR)/website/.well-known/matrix/client \
+infra/main/.terraform: \
-$(OUT_DIR)/website/.well-known/matrix/server:
-	mkdir -p $(OUT_DIR)/website/.well-known/matrix
-	cp -R \
-		$(SRC_DIR)/well-known/matrix/* \
-		$(OUT_DIR)/website/.well-known/matrix/
-
-$(OUT_DIR)/website/.well-known/openpgpkey:
-	$(call toolchain," \
-		sq wkd \
-			generate $(OUT_DIR)/website distrust.co \
-			<(cat $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS))) \
-	")
-
-$(CACHE_DIR)/website/index.html: \
-	$(CACHE_DIR)/website/.well-known/openpgpkey \
-	$(CACHE_DIR)/website/.well-known/matrix/server \
-	$(CACHE_DIR)/website/.well-known/matrix/client
-	$(call toolchain," \
-		cd $(SRC_DIR)/website \
-		&& jekyll build \
-		&& cp -R _site/* /home/build/out/website/ \
-	")
-
-infra/backend/.terraform: out/tools-image.digest $(BACKEND_TF)
-	$(call run-container, \
-		-v $(PWD)/secrets:/secrets \
-		-v $(PWD)/infra:/infra, \
-		$(shell cat out/tools-image.digest), \
-		sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\
-			tofu -chdir=/infra/backend init -upgrade && \
-			tofu -chdir=/infra/backend refresh \
-				-var environment=$(ENVIRONMENT) \
-				-var namespace=$(ENVIRONMENT) \
-				-var region=$(REGION) \
-				-state $(ENVIRONMENT).tfstate' \
-	)
-
-infra/main/.terraform: out/tools-image.digest \
                        config/$(ENVIRONMENT).tfbackend \
                        $(MAIN_TF)
-	$(call run-container, \
+	sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
-		-v $(PWD)/secrets:/secrets \
+		tofu -chdir=infra/main init -upgrade \
-		-v $(PWD)/infra:/infra, \
+			-backend-config="../../config/$(ENVIRONMENT).tfbackend" && \
-		$(shell cat out/tools-image.digest), \
+		tofu -chdir=infra/main refresh \
-		sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\
+			-var environment=$(ENVIRONMENT) \
-			tofu -chdir=/infra/main init -upgrade \
+			-var namespace=$(ENVIRONMENT) \
-				-backend-config="../../config/$(ENVIRONMENT).tfbackend" && \
+			-var region=$(REGION) \
-			tofu -chdir=/infra/main refresh \
+			-state $(ENVIRONMENT).tfstate'
-				-var environment=$(ENVIRONMENT) \
-				-var namespace=$(ENVIRONMENT) \
-				-var region=$(REGION) \
-				-state $(ENVIRONMENT).tfstate' \
-	)
 
-infra/backend/$(ENVIRONMENT).tfstate: out/tools-image.digest infra/backend/.terraform
+infra/backend/$(ENVIRONMENT).tfstate: infra/backend/.terraform
-	$(call run-container, \
+	sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
-		-v $(PWD)/secrets:/secrets \
+		tofu -chdir=infra/backend apply \
-		-v $(PWD)/infra:/infra, \
+			-var environment=$(ENVIRONMENT) \
-		$(shell cat out/tools-image.digest), \
+			-var namespace=$(ENVIRONMENT) \
-		sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\
+			-var region=$(REGION) \
-			tofu -chdir=/infra/backend apply \
+			-state $(ENVIRONMENT).tfstate'
-				-var environment=$(ENVIRONMENT) \
-				-var namespace=$(ENVIRONMENT) \
-				-var region=$(REGION) \
-				-state $(ENVIRONMENT).tfstate' \
-	)
 
-config/$(ENVIRONMENT).tfbackend: $(OUT_DIGEST) infra/backend/$(ENVIRONMENT).tfstate
+config/$(ENVIRONMENT).tfbackend: infra/backend/$(ENVIRONMENT).tfstate
-	$(call run-container, \
+	sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
-		-v $(PWD)/secrets:/secrets \
+		tofu -chdir=infra/backend output \
-		-v $(PWD)/infra:/infra, \
+			-state $(ENVIRONMENT).tfstate > $@ && \
-		$(shell cat $(OUT_DIGEST)), \
+		tofu -chdir=infra/backend refresh \
-		sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\
+			-var environment=$(ENVIRONMENT) \
-			tofu -chdir=/infra/backend output \
+			-var namespace=$(ENVIRONMENT) \
-				-state $(ENVIRONMENT).tfstate > $@ && \
+			-var region=$(REGION) \
-			tofu -chdir=/infra/backend refresh \
+			-state $(ENVIRONMENT).tfstate'
-				-var environment=$(ENVIRONMENT) \
-				-var namespace=$(ENVIRONMENT) \
-				-var region=$(REGION) \
-				-state $(ENVIRONMENT).tfstate' \
-	)
 
 build-%: REVISION = $(shell git rev-list -1 HEAD -- images/$*)
 build-%: SOURCE_DATE_EPOCH = $(shell git log -1 --format=%ct $(REVISION))
 build-%: images/tools/Containerfile | out
 	export SOURCE_DATE_EPOCH
-	cd images/tools
 	$(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION))
 
 load-%: build-%
@@ -156,28 +105,31 @@ push-%: build-% load-%
 
 out/tools-image.digest: out build-tools
 
-.PHONY: plan
+infra/main/talos:
-plan: out/tools-image.digest
+	mkdir -p $@
-	$(call run-container, \
-		-v $(PWD)/secrets:/secrets -v $(PWD)/infra:/infra, \
-		$(shell cat $<), \
-		sops exec-env /secrets/$(ENVIRONMENT).enc.env -- \
-		'tofu -chdir=/infra/main plan \
-			-var environment=$(ENVIRONMENT) \
-			-var namespace=$(ENVIRONMENT) \
-			-var region=$(REGION)' \
-	)
 
-.PHONY: new-apply
+infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos
-new-apply: out/tools-image.digest 
+	$(SOPS) --decrypt $< > $@
-	$(call run-container,'\
-		echo $$GPG_AGENT_INFO; \
-		ls -l /S.gpg-agent; \
-		gpg --verbose --list-keys \
-	')
 
-.PHONY:
+.PHONY: tofu-plan
-apply: \
+tofu-plan: infra/main/.terraform
+	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
+	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
+	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
+	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
+	sops exec-env secrets/$(ENVIRONMENT).enc.env -- \
+	'tofu -chdir=infra/main plan \
+		-var environment=$(ENVIRONMENT) \
+		-var namespace=$(ENVIRONMENT) \
+		-var region=$(REGION) \
+		$(EXTRA_ARGS)'
+	$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
+	$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
+	$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
+	$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)
+
+.PHONY: tofu-apply
+tofu-apply: \
 	$(TERRAFORM) \
 	$(SOPS) \
 	infra/main/.terraform
@@ -197,6 +149,14 @@ apply: \
 	$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
 	$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)
 
+kustomizations/%/out.yaml: kustomizations/%
+	env -C kustomizations/$(TARGET) -- kustomize build --enable-alpha-plugins . > $@ 
+
+.PHONY: k8s-apply
+k8s-apply: kustomizations/$(TARGET)/out.yaml
+	sops exec-file --no-fifo "$${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/kubectl apply -f $<"
+	rm $< 
+
 $(CACHE_DIR)/secrets:
 	mkdir -p $@