ryansquared/use-stagex-bins #10
|
|
@ -0,0 +1 @@
|
|||
*
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
# Tools used for managing the stagex stack
|
||||
|
||||
FROM stagex/core-busybox@sha256:cac5d773db1c69b832d022c469ccf5f52daf223b91166e6866d42d6983a3b374 AS core-busybox
|
||||
FROM stagex/core-musl@sha256:d5f86324920cfc7fc34f0163502784b73161543ba0a312030a3ddff3ef8ab2f8 AS core-musl
|
||||
FROM stagex/core-ca-certificates@sha256:d6fca6c0080e8e5360cd85fc1c4bd3eab71ce626f40602e38488bfd61fd3e89d AS core-ca-certificates
|
||||
FROM stagex/core-zlib@sha256:b35b643642153b1620093cfe2963f5fa8e4d194fb2344a5786da5717018976c2 AS core-zlib
|
||||
FROM stagex/user-gpg@sha256:92946bb4143ecbd53999cd520fbcb958aecacbac7a85bd58a758be1b57086a9c AS user-gpg
|
||||
FROM stagex/user-npth@sha256:6ac9a90ca714ba01911c1f617553a5b23b96e9e37ec4a21e5ba132c4886a70e9 AS user-npth
|
||||
FROM stagex/user-libksba@sha256:c165fb5b7949473cb00b0fe59add90663346b33c6c682309ca0fcccdcf78d569 AS user-libksba
|
||||
FROM stagex/user-libgpg-error@sha256:6d7c09e3a7d055a6722910439c533f2babc8eda24b636bf4dfb2b29a3ed6327a AS user-libgpg-error
|
||||
FROM stagex/user-libassuan@sha256:dea35799659be7b85e523312c55621007b1918ff3590631155ecf2c699ca470f AS user-libassuan
|
||||
FROM stagex/user-libgcrypt@sha256:384f0e703afad6f8885ec77fb814ef182a08600a2032183d231fee5c048a7d2d AS user-libgcrypt
|
||||
FROM stagex/user-opentofu@sha256:b5053a5966f7ec06ea894db315c4990b73e8bee69798889de747e9a99c32b041 AS user-opentofu
|
||||
FROM stagex/user-sops@sha256:72b09ff439f422889af815f19a223b48b3b3fd0701d312a413069cbabcad7a12 AS user-sops
|
||||
FROM stagex/user-talosctl@sha256:23ff2d686a0c251db4f8a8f07e9b18c81c64eaa07da97de5a75fccbea3e595c4 AS user-talosctl
|
||||
FROM stagex/user-kubectl@sha256:6df028ecb71097c182276cad295f7a68a28f2c8d7fc82ea47fb22a451b11a4ff AS user-kubectl
|
||||
FROM stagex/user-kustomize@sha256:9886d6c855f763398a8bf52cd16e07f78cb8dab75396903645612e9cd4094cfa AS user-kustomize
|
||||
FROM stagex/user-kustomize-sops@sha256:25040e0adf7dc6806da9996a252dbf7f8f5bb4f0b9a9dd1835035eeaea3861d9 AS user-kustomize-sops
|
||||
FROM stagex/user-helm@sha256:e7d2e13db8483f5356b96337308edbd5a0e602cc76c4c5ea5ed730ae6d2b2dcc AS user-helm
|
||||
FROM stagex/user-k9s@sha256:eff325c4d000358b2f6ed0f63d61fcea8f98c081395437d0003e7429e0c334b4 AS user-k9s
|
||||
|
||||
FROM scratch
|
||||
COPY --from=core-busybox . /
|
||||
COPY --from=core-musl . /
|
||||
COPY --from=core-ca-certificates . /
|
||||
COPY --from=core-zlib . /
|
||||
COPY --from=user-npth . /
|
||||
COPY --from=user-libksba . /
|
||||
COPY --from=user-libgpg-error . /
|
||||
COPY --from=user-libassuan . /
|
||||
COPY --from=user-libgcrypt . /
|
||||
COPY --from=user-gpg . /
|
||||
COPY --from=user-opentofu . /
|
||||
COPY --from=user-sops . /
|
||||
COPY --from=user-talosctl . /
|
||||
COPY --from=user-kubectl . /
|
||||
COPY --from=user-kustomize . /
|
||||
COPY --from=user-kustomize-sops . /
|
||||
COPY --from=user-sops . /
|
||||
COPY --from=user-helm . /
|
||||
COPY --from=user-k9s . /
|
||||
|
||||
RUN mkdir -p /root/.gnupg
|
||||
RUN chmod 0700 /root/.gnupg
|
||||
|
||||
ENTRYPOINT ["/bin/sh"]
|
||||
48
Makefile
48
Makefile
|
|
@ -1,5 +1,5 @@
|
|||
include $(PWD)/src/toolchain/Makefile
|
||||
include $(PWD)/src/make/tools.mk
|
||||
# If using QubesOS, the smart card must be connected directly to the qube,
|
||||
# rather than using a 'vault' qube.
|
||||
|
||||
BACKEND_TF := $(wildcard infra/backend/*.tf)
|
||||
MAIN_TF := $(wildcard infra/main/*.tf)
|
||||
|
|
@ -24,25 +24,22 @@ default: \
|
|||
tools \
|
||||
apply
|
||||
|
||||
.PHONY:
|
||||
.PHONY: clean
|
||||
clean:
|
||||
rm -rf $(CACHE_DIR)
|
||||
|
||||
.PHONY:
|
||||
.PHONY: update-tools
|
||||
update-tools:
|
||||
./src/make/update.sh
|
||||
|
||||
.PHONY: shell
|
||||
shell: out/tools-image.digest
|
||||
$(call run-container, -v ./secrets:/secrets, $(shell cat $<))
|
||||
|
||||
.PHONY: credentials
|
||||
credentials: \
|
||||
$(CACHE_DIR)/secrets/credentials.tfvars
|
||||
|
||||
.PHONY:
|
||||
shell: toolchain tools
|
||||
$(call toolchain," \
|
||||
HOST_OS=linux \
|
||||
HOST_ARCH=x86_64 \
|
||||
PREFIX=.local \
|
||||
XDG_CONFIG_HOME=/home/build/.config \
|
||||
make -f src/make/tools.mk tools-install \
|
||||
&& PS1='build@distrust-stack\\$$ ' bash --norc \
|
||||
",--interactive)
|
||||
|
||||
$(KEY_DIR)/%.asc:
|
||||
$(call fetch_pgp_key,$(basename $(notdir $@)))
|
||||
|
||||
|
|
@ -133,6 +130,27 @@ config/$(ENVIRONMENT).tfbackend: | \
|
|||
-state $(ENVIRONMENT).tfstate \
|
||||
'
|
||||
|
||||
out/tools-image.digest: Containerfile.tools | out
|
||||
docker build -f Containerfile.tools -q . > $@
|
||||
|
||||
GPG_TTY ?= $(shell tty)
|
||||
|
||||
define run-container
|
||||
docker run -it $(1) \
|
||||
-e GPG_TTY="$(GPG_TTY)" \
|
||||
-v $(shell gpgconf --list-dirs agent-socket):/root/.gnupg/S.gpg-agent:ro \
|
||||
-v $(shell gpgconf --list-dirs homedir):/root/.gnupg:rw \
|
||||
$(2)
|
||||
endef
|
||||
|
||||
.PHONY: new-apply
|
||||
new-apply: out/tools-image.digest
|
||||
$(call run-container,'\
|
||||
echo $$GPG_AGENT_INFO; \
|
||||
ls -l /S.gpg-agent; \
|
||||
gpg --verbose --list-keys \
|
||||
')
|
||||
|
||||
.PHONY:
|
||||
apply: \
|
||||
$(TERRAFORM) \
|
||||
|
|
|
|||
|
|
@ -125,7 +125,10 @@ locals {
|
|||
# `jq .database_users.value.forgejo | sops --encrypt`
|
||||
output "database_users" {
|
||||
value = {
|
||||
for db_user in concat(module.digitalocean_database_cluster.database_users, module.digitalocean_mysql_database_cluster.database_users):
|
||||
for db_user in concat(
|
||||
values(module.digitalocean_database_cluster.database_users),
|
||||
values(module.digitalocean_mysql_database_cluster.database_users),
|
||||
):
|
||||
db_user.name => {
|
||||
apiVersion = "v1",
|
||||
kind = "Secret",
|
||||
|
|
|
|||
|
|
@ -0,0 +1,69 @@
|
|||
#!/bin/sh
|
||||
|
||||
TARGET="Containerfile.tools"
|
||||
SOURCE="https://codeberg.org/stagex/stagex/raw/branch/main/digests"
|
||||
STAGES="core user pallet bootstrap"
|
||||
|
||||
TMPFILE="$(mktemp)"
|
||||
DIGESTS_TMP="$(mktemp)"
|
||||
|
||||
for stage in $STAGES; do
|
||||
curl -fsSL "$SOURCE/$stage.txt" | while read -r digest name; do
|
||||
echo "$name $digest" >> "$DIGESTS_TMP"
|
||||
done
|
||||
done
|
||||
|
||||
while IFS= read -r line; do
|
||||
case "$line" in
|
||||
FROM*stagex/*)
|
||||
full_image="$(printf '%s' "$line" | awk '{print $2}')"
|
||||
base="${full_image%@sha256:*}"
|
||||
prefix="${base%%stagex/*}"
|
||||
registry="${prefix%/}"
|
||||
path="stagex/${base#*stagex/}"
|
||||
|
||||
rest="${path#stagex/}"
|
||||
if echo "$rest" | grep -q ':'; then
|
||||
name="${rest%%:*}"
|
||||
tag="${rest#*:}"
|
||||
else
|
||||
name="$rest"
|
||||
tag=""
|
||||
fi
|
||||
|
||||
digest="$(awk -v n="$name" '$1==n{print $2; exit}' "$DIGESTS_TMP")"
|
||||
if [ -z "$digest" ]; then
|
||||
for stage in $STAGES; do
|
||||
staged_name="$stage-$name"
|
||||
digest="$(awk -v n="$staged_name" '$1==n{print $2; exit}' "$DIGESTS_TMP")"
|
||||
if [ -n "$digest" ]; then
|
||||
name="$staged_name"
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "$digest" ]; then
|
||||
if [ -n "$registry" ]; then
|
||||
image_ref="$registry/stagex/$name"
|
||||
else
|
||||
image_ref="stagex/$name"
|
||||
fi
|
||||
|
||||
if [ -n "$tag" ]; then
|
||||
image_ref="$image_ref:$tag"
|
||||
fi
|
||||
|
||||
echo "FROM $image_ref@sha256:$digest AS $name" >> "$TMPFILE"
|
||||
else
|
||||
echo "$line" >> "$TMPFILE"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo "$line" >> "$TMPFILE"
|
||||
;;
|
||||
esac
|
||||
done < "$TARGET"
|
||||
|
||||
mv "$TMPFILE" "$TARGET"
|
||||
rm -f "$DIGESTS_TMP"
|
||||
Loading…
Reference in New Issue