include $(PWD)/src/toolchain/Makefile

BACKEND_TF := $(wildcard infra/backend/*.tf)
MAIN_TF := $(wildcard infra/main/*.tf)
ENVIRONMENT := production
REGION := sfo3
ROOT_DIR := $(shell pwd)
TERRAFORM := $(ROOT_DIR)/out/terraform
SOPS := $(ROOT_DIR)/out/sops
KEYS := \
	6B61ECD76088748C70590D55E90A401336C8AAA9 \
	88823A75ECAA786B0FF38B148E401478A3FBEF72 \
	3D7C8D39E8C4DF771583D3F0A8A091FD346001CA

.DEFAULT_GOAL :=
.PHONY: default
default: \
	toolchain \
	$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \
	$(OUT_DIR)/website/.well-known/openpgpkey \
	apply

.PHONY:
clean:
	rm -rf $(CACHE_DIR)

.PHONY:
credentials: \
	$(CACHE_DIR)/secrets/credentials.tfvars

$(KEY_DIR)/%.asc:
	$(call fetch_pgp_key,$(basename $(notdir $@)))

$(OUT_DIR)/website/.well-known/openpgpkey:
	$(call toolchain," \
		sq wkd \
			generate $(OUT_DIR)/website distrust.co \
			<(cat $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS))) \
	")

$(OUT_DIR)/website/index.html: \
	$(OUT_DIR)/website/.well-known/openpgpkey
	$(call toolchain," \
		cd $(SRC_DIR)/website \
		&& jekyll build \
		&& cp -R _site/* /home/build/out/website/ \
	")

infra/backend/.terraform: \
	$(OUT_DIR)/terraform \
	$(BACKEND_TF)
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/backend $(TERRAFORM) init -upgrade \
		'

infra/main/.terraform: | \
	$(OUT_DIR)/terraform \
	config/$(ENVIRONMENT).tfbackend \
	$(MAIN_TF)
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/main $(TERRAFORM) init -upgrade \
		-backend-config="../../config/$(ENVIRONMENT).tfbackend" \
		'

infra/backend/$(ENVIRONMENT).tfstate: \
	$(OUT_DIR)/terraform \
	$(OUT_DIR)/sops \
	infra/backend/.terraform
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/backend \
		$(TERRAFORM) apply \
		-var environment=$(ENVIRONMENT) \
		-var namespace=$(ENVIRONMENT) \
		-var region=$(REGION) \
		-state ../../$@ \
		'

config/$(ENVIRONMENT).tfbackend: | \
	$(OUT_DIR)/terraform
	$(OUT_DIR)/sops \
	# File is not committed and this has no shared state
	$(MAKE) infra/backend/$(ENVIRONMENT).tfstate
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/backend \
		$(TERRAFORM) \
		output -state ../../$< \
		> $@ \
		'

.PHONY:
apply: \
	$(OUT_DIR)/terraform \
	$(OUT_DIR)/sops \
	infra/main/.terraform
	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
		env -C infra/main \
		$(TERRAFORM) apply \
		-var environment=$(ENVIRONMENT) \
		-var namespace=$(ENVIRONMENT) \
		-var region=$(REGION) \
		'
	$(SOPS) --encrypt infra/main/talos/talosconfig > secrets/$(ENVIRONMENT).talosconfig
	$(SOPS) --encrypt infra/main/talos/kubeconfig > secrets/$(ENVIRONMENT).kubeconfig
	$(SOPS) --encrypt infra/main/talos/controlplane.yaml > secrets/$(ENVIRONMENT).controlplane.yaml
	$(SOPS) --encrypt infra/main/talos/worker.yaml > secrets/$(ENVIRONMENT).worker.yaml

$(CACHE_DIR)/secrets:
	mkdir -p $@

$(FETCH_DIR)/terraform:
	$(call git_clone,$@,$(TERRAFORM_REPO),$(TERRAFORM_REF))

$(FETCH_DIR)/sops:
	$(call git_clone,$@,$(SOPS_REPO),$(SOPS_REF))

$(FETCH_DIR)/talosctl:
	$(call git_clone,$@,$(TALOSCTL_REPO),$(TALOSCTL_REF))

$(OUT_DIR)/terraform: $(FETCH_DIR)/terraform
	$(call toolchain," \
		cd $(FETCH_DIR)/terraform && \
		export SSL_CERT_DIR=/etc/ssl/certs && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		go build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ \
	")

$(OUT_DIR)/sops: $(FETCH_DIR)/sops
	$(call toolchain," \
		cd $(FETCH_DIR)/sops && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		go build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ $(SOPS_PKG) \
	")

$(OUT_DIR)/talosctl: $(FETCH_DIR)/talosctl
	$(call toolchain," \
		cd $(FETCH_DIR)/talosctl && \
		export CGO_ENABLED=0 && \
		export GOCACHE=/home/build/$(CACHE_DIR) && \
		export GOPATH=/home/build/$(CACHE_DIR) && \
		go build \
			-v \
			-trimpath \
			-ldflags='-w -extldflags=-static' \
			-o /home/build/$@ $(TALOSCTL_PKG) \
	")