public
/
stack
5
0
Fork 0
Code Issues 4 Pull Requests 3 Packages Projects Releases Wiki Activity
stack/Makefile

155 lines
4.6 KiB
Makefile
Raw Permalink Blame History

# If using QubesOS, the smart card must be connected directly to the qube,
# rather than using a 'vault' qube.
BACKEND_TF := $(wildcard infra/backend/*.tf)
MAIN_TF := $(wildcard infra/main/*.tf)
ENVIRONMENT := production
REGION := sfo3
EXTRA_ARGS :=
GPG_TTY ?= $(shell tty)
PLATFORM ?= linux/amd64
PROGRESS ?= auto
REGISTRY ?= git.distrust.co/public
VERSION := latest
SHELL=/bin/bash
ifeq ($(NOCACHE), 1)
NOCACHE_FLAG=--no-cache
else
NOCACHE_FLAG=
endif
export NOCACHE_FLAG
include $(PWD)/src/make/macros.mk
TALOS_SECRETS := \
infra/main/talos/controlplane.yaml \
infra/main/talos/worker.yaml \
infra/main/talos/kubeconfig \
infra/main/talos/talosconfig
.ONESHELL:
.DEFAULT_GOAL :=
.PHONY: default
default: \
tofu-apply
.PHONY: clean
clean:
rm -rf $(CACHE_DIR)
out:
mkdir out
.PHONY: shell
shell: build-tools load-tools
$(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash)
infra/backend/.terraform: $(BACKEND_TF)
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
tofu -chdir=infra/backend init -upgrade && \
tofu -chdir=infra/backend refresh \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
-state $(ENVIRONMENT).tfstate'
infra/main/.terraform: \
config/$(ENVIRONMENT).tfbackend \
$(MAIN_TF) \
$(TALOS_SECRETS)
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
tofu -chdir=infra/main init -upgrade \
-backend-config="../../config/$(ENVIRONMENT).tfbackend" && \
tofu -chdir=infra/main refresh \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
-state $(ENVIRONMENT).tfstate'
infra/backend/$(ENVIRONMENT).tfstate: infra/backend/.terraform
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
tofu -chdir=infra/backend apply \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
-state $(ENVIRONMENT).tfstate'
config/$(ENVIRONMENT).tfbackend: infra/backend/$(ENVIRONMENT).tfstate
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
tofu -chdir=infra/backend output \
-state $(ENVIRONMENT).tfstate > $@ && \
tofu -chdir=infra/backend refresh \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
-state $(ENVIRONMENT).tfstate'
build-%: REVISION = $(shell git rev-list -1 HEAD -- images/$*)
build-%: SOURCE_DATE_EPOCH = $(shell git log -1 --format=%ct $(REVISION))
build-%: images/tools/Containerfile | out
export SOURCE_DATE_EPOCH
$(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION))
load-%: build-%
$(call import-container,$*)
push-%: build-% load-%
docker push $(REGISTRY)/$*:$(VERSION)
out/tools-image.digest: out build-tools
infra/main/talos:
mkdir -p $@
infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos
sops --decrypt $< > $@ && \
touch -r $< $@ || true
secrets/$(ENVIRONMENT).%: infra/main/talos/%
sops --encrypt $< > $@ && \
touch -r $< $@ || true
.PHONY: tofu-plan
tofu-plan: \
infra/main/.terraform \
$(TALOS_SECRETS)
sops exec-env secrets/$(ENVIRONMENT).enc.env -- \
'tofu -chdir=infra/main plan \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
$(EXTRA_ARGS)'
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)
.PHONY: tofu-apply
tofu-apply: \
infra/main/.terraform
sops exec-env secrets/$(ENVIRONMENT).enc.env '\
env -C infra/main \
tofu apply \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
$(EXTRA_ARGS) '
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)
kustomizations/%/out.yaml: kustomizations/%
env -C kustomizations/$(TARGET) -- kustomize build --enable-alpha-plugins . > $@
.PHONY: k8s-apply
k8s-apply: kustomizations/$(TARGET)/out.yaml
sops exec-file --no-fifo "$${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/kubectl apply -f $<"
rm $<
$(CACHE_DIR)/secrets:
mkdir -p $@
Reference in New Issue View Git Blame Copy Permalink