# If using QubesOS, the smart card must be connected directly to the qube, # rather than using a 'vault' qube. BACKEND_TF := $(wildcard infra/backend/*.tf) MAIN_TF := $(wildcard infra/main/*.tf) ENVIRONMENT := production REGION := sfo3 ROOT_DIR := $(shell pwd) OUT_DIGEST := out/tools-image.digest KEYS := \ 6B61ECD76088748C70590D55E90A401336C8AAA9 \ 88823A75ECAA786B0FF38B148E401478A3FBEF72 \ 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \ F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D EXTRA_ARGS := GPG_TTY ?= $(shell tty) PLATFORM ?= linux/amd64 PROGRESS ?= auto REGISTRY ?= git.distrust.co/public VERSION := latest ifeq ($(NOCACHE), 1) NOCACHE_FLAG=--no-cache else NOCACHE_FLAG= endif export NOCACHE_FLAG include $(PWD)/src/make/macros.mk .DEFAULT_GOAL := .PHONY: default default: \ tools \ apply .PHONY: clean clean: rm -rf $(CACHE_DIR) out: mkdir out .PHONY: update-tools update-tools: ./src/make/update.sh .PHONY: shell shell: out/tools-image.digest $(call run-container, -v $${PWD}:/home/user/stack:rw, $(shell cat $<), /bin/bash) .PHONY: credentials credentials: \ $(CACHE_DIR)/secrets/credentials.tfvars $(KEY_DIR)/%.asc: $(call fetch_pgp_key,$(basename $(notdir $@))) $(OUT_DIR)/website/.well-known/matrix/client \ $(OUT_DIR)/website/.well-known/matrix/server: mkdir -p $(OUT_DIR)/website/.well-known/matrix cp -R \ $(SRC_DIR)/well-known/matrix/* \ $(OUT_DIR)/website/.well-known/matrix/ $(OUT_DIR)/website/.well-known/openpgpkey: $(call toolchain," \ sq wkd \ generate $(OUT_DIR)/website distrust.co \ <(cat $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS))) \ ") $(CACHE_DIR)/website/index.html: \ $(CACHE_DIR)/website/.well-known/openpgpkey \ $(CACHE_DIR)/website/.well-known/matrix/server \ $(CACHE_DIR)/website/.well-known/matrix/client $(call toolchain," \ cd $(SRC_DIR)/website \ && jekyll build \ && cp -R _site/* /home/build/out/website/ \ ") infra/backend/.terraform: out/tools-image.digest $(BACKEND_TF) $(call run-container, \ -v $(PWD)/secrets:/secrets \ -v $(PWD)/infra:/infra, \ $(shell cat out/tools-image.digest), \ sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=/infra/backend init -upgrade && \ tofu -chdir=/infra/backend refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' \ ) infra/main/.terraform: out/tools-image.digest \ config/$(ENVIRONMENT).tfbackend \ $(MAIN_TF) $(call run-container, \ -v $(PWD)/secrets:/secrets \ -v $(PWD)/infra:/infra, \ $(shell cat out/tools-image.digest), \ sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=/infra/main init -upgrade \ -backend-config="../../config/$(ENVIRONMENT).tfbackend" && \ tofu -chdir=/infra/main refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' \ ) infra/backend/$(ENVIRONMENT).tfstate: out/tools-image.digest infra/backend/.terraform $(call run-container, \ -v $(PWD)/secrets:/secrets \ -v $(PWD)/infra:/infra, \ $(shell cat out/tools-image.digest), \ sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=/infra/backend apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' \ ) config/$(ENVIRONMENT).tfbackend: $(OUT_DIGEST) infra/backend/$(ENVIRONMENT).tfstate $(call run-container, \ -v $(PWD)/secrets:/secrets \ -v $(PWD)/infra:/infra, \ $(shell cat $(OUT_DIGEST)), \ sops exec-env /secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=/infra/backend output \ -state $(ENVIRONMENT).tfstate > $@ && \ tofu -chdir=/infra/backend refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' \ ) build-%: REVISION = $(shell git rev-list -1 HEAD -- images/$*) build-%: SOURCE_DATE_EPOCH = $(shell git log -1 --format=%ct $(REVISION)) build-%: images/tools/Containerfile | out export SOURCE_DATE_EPOCH cd images/tools $(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION)) out/tools-image.digest: out build-tools .PHONY: plan plan: out/tools-image.digest $(call run-container, \ -v $(PWD)/secrets:/secrets -v $(PWD)/infra:/infra, \ $(shell cat $<), \ sops exec-env /secrets/$(ENVIRONMENT).enc.env -- \ 'tofu -chdir=/infra/main plan \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION)' \ ) .PHONY: new-apply new-apply: out/tools-image.digest $(call run-container,'\ echo $$GPG_AGENT_INFO; \ ls -l /S.gpg-agent; \ gpg --verbose --list-keys \ ') .PHONY: apply: \ $(TERRAFORM) \ $(SOPS) \ infra/main/.terraform $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml) $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/main \ $(TERRAFORM) apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ $(EXTRA_ARGS) ' $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) $(CACHE_DIR)/secrets: mkdir -p $@