51 lines
1.7 KiB
Makefile
51 lines
1.7 KiB
Makefile
# Note: Decryption MUST reset the mod time to avoid encryption/decryption loops
|
|
# Encrypt if:
|
|
# - Both files exist, local is newer than remote
|
|
# - Only local exists
|
|
define maybe_encrypt_secret
|
|
test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \
|
|
\( -f $(1) -a ! -f $(2) \) && \
|
|
$(SOPS) --encrypt $(1) > $(2) || true
|
|
endef
|
|
|
|
# Only decrypt when local files don't exist
|
|
# Unfortunately, this means we can't decrypt if the secrets update. We can't
|
|
# do that because otherwise it creates a loop. The secrets update, therefore we
|
|
# decrypt secrets, but because the modtime of the decrypted secrets is newer
|
|
# than the encrypted secrets, we want to reencrypt encrypted secrets.
|
|
define maybe_decrypt_secret
|
|
test -f $(1) -a ! -f $(2) && \
|
|
mkdir -p `dirname $(2)` && \
|
|
$(SOPS) --decrypt $(1) > $(2) && \
|
|
touch -d 1970-01-01 $(2) || \
|
|
true
|
|
endef
|
|
|
|
define run-container
|
|
docker run -it $(1) \
|
|
-v $$PWD/.bashrc:/home/user/.bashrc:ro \
|
|
-v $(shell gpgconf --list-dirs socketdir)/:/run/user/1000/gnupg/:ro \
|
|
-v $(shell gpgconf --list-dirs homedir):/home/user/.gnupg:rw \
|
|
-e SSH_AUTH_SOCK=/run/user/1000/gnupg/$(shell basename $(shell gpgconf --list-dirs agent-ssh-socket)) \
|
|
--entrypoint $(3) \
|
|
$(2)
|
|
endef
|
|
|
|
define build-container
|
|
mkdir -p out/image/$(1)
|
|
SOURCE_DATE_EPOCH=$(4) docker \
|
|
buildx \
|
|
build \
|
|
--tag $(REGISTRY)/$(1):$(2) \
|
|
--output \
|
|
name=$(1),type=oci,rewrite-timestamp=true,force-compression=true,annotation.org.opencontainers.image.revision=$(5),annotation.org.opencontainers.image.version=$(2),tar=true,dest=- \
|
|
$(EXTRA_ARGS) \
|
|
$(NOCACHE_FLAG) \
|
|
$(CHECK_FLAG) \
|
|
--platform=$(PLATFORM) \
|
|
--progress=$(PROGRESS) \
|
|
-f $(3) \
|
|
$(dir $3) \
|
|
| tar -C out/image/$(1) -mx
|
|
endef
|