# If using QubesOS, the smart card must be connected directly to the qube, # rather than using a 'vault' qube. BACKEND_TF := $(wildcard infra/backend/*.tf) MAIN_TF := $(wildcard infra/main/*.tf) ENVIRONMENT := production REGION := sfo3 EXTRA_ARGS := GPG_TTY ?= $(shell tty) PLATFORM ?= linux/amd64 PROGRESS ?= auto REGISTRY ?= git.distrust.co/public VERSION := latest SHELL=/bin/bash ifeq ($(NOCACHE), 1) NOCACHE_FLAG=--no-cache else NOCACHE_FLAG= endif export NOCACHE_FLAG include $(PWD)/src/make/macros.mk TALOS_SECRETS := \ infra/main/talos/controlplane.yaml \ infra/main/talos/worker.yaml \ infra/main/talos/kubeconfig \ infra/main/talos/talosconfig .ONESHELL: .DEFAULT_GOAL := .PHONY: default default: \ tofu-apply .PHONY: clean clean: rm -rf $(CACHE_DIR) out: mkdir out .PHONY: shell shell: build-tools load-tools $(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash) infra/backend/.terraform: $(BACKEND_TF) sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/backend init -upgrade && \ tofu -chdir=infra/backend refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' infra/main/.terraform: \ config/$(ENVIRONMENT).tfbackend \ $(MAIN_TF) \ $(TALOS_SECRETS) sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/main init -upgrade \ -backend-config="../../config/$(ENVIRONMENT).tfbackend" && \ tofu -chdir=infra/main refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' infra/backend/$(ENVIRONMENT).tfstate: infra/backend/.terraform sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/backend apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' config/$(ENVIRONMENT).tfbackend: infra/backend/$(ENVIRONMENT).tfstate sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/backend output \ -state $(ENVIRONMENT).tfstate > $@ && \ tofu -chdir=infra/backend refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' build-%: REVISION = $(shell git rev-list -1 HEAD -- images/$*) build-%: SOURCE_DATE_EPOCH = $(shell git log -1 --format=%ct $(REVISION)) build-%: images/tools/Containerfile | out export SOURCE_DATE_EPOCH $(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION)) load-%: build-% $(call import-container,$*) push-%: build-% load-% docker push $(REGISTRY)/$*:$(VERSION) out/tools-image.digest: out build-tools infra/main/talos: mkdir -p $@ infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos sops --decrypt $< > $@ && \ touch -r $< $@ || true secrets/$(ENVIRONMENT).%: infra/main/talos/% sops --encrypt $< > $@ && \ touch -r $< $@ || true .PHONY: tofu-plan tofu-plan: \ infra/main/.terraform \ $(TALOS_SECRETS) sops exec-env secrets/$(ENVIRONMENT).enc.env -- \ 'tofu -chdir=infra/main plan \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ $(EXTRA_ARGS)' $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) .PHONY: tofu-apply tofu-apply: \ infra/main/.terraform sops exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/main \ tofu apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ $(EXTRA_ARGS) ' $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) kustomizations/%/out.yaml: kustomizations/% env -C kustomizations/$(TARGET) -- kustomize build --enable-alpha-plugins . > $@ .PHONY: k8s-apply k8s-apply: kustomizations/$(TARGET)/out.yaml sops exec-file --no-fifo "$${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/kubectl apply -f $<" rm $< $(CACHE_DIR)/secrets: mkdir -p $@