# If using QubesOS, the smart card must be connected directly to the qube, # rather than using a 'vault' qube. BACKEND_TF := $(wildcard infra/backend/*.tf) MAIN_TF := $(wildcard infra/main/*.tf) ENVIRONMENT := production REGION := sfo3 ROOT_DIR := $(shell pwd) KEYS := \ 6B61ECD76088748C70590D55E90A401336C8AAA9 \ 88823A75ECAA786B0FF38B148E401478A3FBEF72 \ 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \ F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D EXTRA_ARGS := GPG_TTY ?= $(shell tty) PLATFORM ?= linux/amd64 PROGRESS ?= auto REGISTRY ?= git.distrust.co/public VERSION := latest SHELL=/bin/bash SOPS := sops ifeq ($(NOCACHE), 1) NOCACHE_FLAG=--no-cache else NOCACHE_FLAG= endif export NOCACHE_FLAG include $(PWD)/src/make/macros.mk .ONESHELL: .DEFAULT_GOAL := .PHONY: default default: \ tofu-apply .PHONY: clean clean: rm -rf $(CACHE_DIR) out: mkdir out .PHONY: shell shell: build-tools load-tools $(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash) .PHONY: credentials credentials: \ $(CACHE_DIR)/secrets/credentials.tfvars infra/backend/.terraform: $(BACKEND_TF) sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/backend init -upgrade && \ tofu -chdir=infra/backend refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' infra/main/.terraform: \ config/$(ENVIRONMENT).tfbackend \ $(MAIN_TF) sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/main init -upgrade \ -backend-config="../../config/$(ENVIRONMENT).tfbackend" && \ tofu -chdir=infra/main refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' infra/backend/$(ENVIRONMENT).tfstate: infra/backend/.terraform sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/backend apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' config/$(ENVIRONMENT).tfbackend: infra/backend/$(ENVIRONMENT).tfstate sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ tofu -chdir=infra/backend output \ -state $(ENVIRONMENT).tfstate > $@ && \ tofu -chdir=infra/backend refresh \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ -state $(ENVIRONMENT).tfstate' build-%: REVISION = $(shell git rev-list -1 HEAD -- images/$*) build-%: SOURCE_DATE_EPOCH = $(shell git log -1 --format=%ct $(REVISION)) build-%: images/tools/Containerfile | out export SOURCE_DATE_EPOCH $(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION)) load-%: build-% $(call import-container,$*) push-%: build-% load-% docker push $(REGISTRY)/$*:$(VERSION) out/tools-image.digest: out build-tools infra/main/talos: mkdir -p $@ infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos $(SOPS) --decrypt $< > $@ .PHONY: tofu-plan tofu-plan: infra/main/.terraform $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml) sops exec-env secrets/$(ENVIRONMENT).enc.env -- \ 'tofu -chdir=infra/main plan \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ $(EXTRA_ARGS)' $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) .PHONY: tofu-apply tofu-apply: \ $(TERRAFORM) \ $(SOPS) \ infra/main/.terraform $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml) $(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml) $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/main \ $(TERRAFORM) apply \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ $(EXTRA_ARGS) ' $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml) kustomizations/%/out.yaml: kustomizations/% env -C kustomizations/$(TARGET) -- kustomize build --enable-alpha-plugins . > $@ .PHONY: k8s-apply k8s-apply: kustomizations/$(TARGET)/out.yaml sops exec-file --no-fifo "$${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/kubectl apply -f $<" rm $< $(CACHE_DIR)/secrets: mkdir -p $@