163 lines
5.4 KiB
Makefile
163 lines
5.4 KiB
Makefile
# If using QubesOS, the smart card must be connected directly to the qube,
|
|
# rather than using a 'vault' qube.
|
|
|
|
BACKEND_TF := $(wildcard infra/backend/*.tf)
|
|
MAIN_TF := $(wildcard infra/main/*.tf)
|
|
ENVIRONMENT := production
|
|
REGION := sfo3
|
|
ROOT_DIR := $(shell pwd)
|
|
KEYS := \
|
|
6B61ECD76088748C70590D55E90A401336C8AAA9 \
|
|
88823A75ECAA786B0FF38B148E401478A3FBEF72 \
|
|
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
|
|
F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
|
|
|
|
EXTRA_ARGS :=
|
|
GPG_TTY ?= $(shell tty)
|
|
PLATFORM ?= linux/amd64
|
|
PROGRESS ?= auto
|
|
REGISTRY ?= git.distrust.co/public
|
|
VERSION := latest
|
|
SHELL=/bin/bash
|
|
SOPS := sops
|
|
|
|
ifeq ($(NOCACHE), 1)
|
|
NOCACHE_FLAG=--no-cache
|
|
else
|
|
NOCACHE_FLAG=
|
|
endif
|
|
export NOCACHE_FLAG
|
|
|
|
include $(PWD)/src/make/macros.mk
|
|
|
|
.ONESHELL:
|
|
|
|
.DEFAULT_GOAL :=
|
|
.PHONY: default
|
|
default: \
|
|
tofu-apply
|
|
|
|
.PHONY: clean
|
|
clean:
|
|
rm -rf $(CACHE_DIR)
|
|
|
|
out:
|
|
mkdir out
|
|
|
|
.PHONY: shell
|
|
shell: build-tools load-tools
|
|
$(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash)
|
|
|
|
.PHONY: credentials
|
|
credentials: \
|
|
$(CACHE_DIR)/secrets/credentials.tfvars
|
|
|
|
infra/backend/.terraform: $(BACKEND_TF)
|
|
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
|
|
tofu -chdir=infra/backend init -upgrade && \
|
|
tofu -chdir=infra/backend refresh \
|
|
-var environment=$(ENVIRONMENT) \
|
|
-var namespace=$(ENVIRONMENT) \
|
|
-var region=$(REGION) \
|
|
-state $(ENVIRONMENT).tfstate'
|
|
|
|
infra/main/.terraform: \
|
|
config/$(ENVIRONMENT).tfbackend \
|
|
$(MAIN_TF)
|
|
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
|
|
tofu -chdir=infra/main init -upgrade \
|
|
-backend-config="../../config/$(ENVIRONMENT).tfbackend" && \
|
|
tofu -chdir=infra/main refresh \
|
|
-var environment=$(ENVIRONMENT) \
|
|
-var namespace=$(ENVIRONMENT) \
|
|
-var region=$(REGION) \
|
|
-state $(ENVIRONMENT).tfstate'
|
|
|
|
infra/backend/$(ENVIRONMENT).tfstate: infra/backend/.terraform
|
|
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
|
|
tofu -chdir=infra/backend apply \
|
|
-var environment=$(ENVIRONMENT) \
|
|
-var namespace=$(ENVIRONMENT) \
|
|
-var region=$(REGION) \
|
|
-state $(ENVIRONMENT).tfstate'
|
|
|
|
config/$(ENVIRONMENT).tfbackend: infra/backend/$(ENVIRONMENT).tfstate
|
|
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
|
|
tofu -chdir=infra/backend output \
|
|
-state $(ENVIRONMENT).tfstate > $@ && \
|
|
tofu -chdir=infra/backend refresh \
|
|
-var environment=$(ENVIRONMENT) \
|
|
-var namespace=$(ENVIRONMENT) \
|
|
-var region=$(REGION) \
|
|
-state $(ENVIRONMENT).tfstate'
|
|
|
|
build-%: REVISION = $(shell git rev-list -1 HEAD -- images/$*)
|
|
build-%: SOURCE_DATE_EPOCH = $(shell git log -1 --format=%ct $(REVISION))
|
|
build-%: images/tools/Containerfile | out
|
|
export SOURCE_DATE_EPOCH
|
|
$(call build-container,$*,$(VERSION),$<,$(SOURCE_DATE_EPOCH),$(REVISION))
|
|
|
|
load-%: build-%
|
|
$(call import-container,$*)
|
|
|
|
push-%: build-% load-%
|
|
docker push $(REGISTRY)/$*:$(VERSION)
|
|
|
|
out/tools-image.digest: out build-tools
|
|
|
|
infra/main/talos:
|
|
mkdir -p $@
|
|
|
|
infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos
|
|
$(SOPS) --decrypt $< > $@
|
|
|
|
.PHONY: tofu-plan
|
|
tofu-plan: infra/main/.terraform
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
|
|
sops exec-env secrets/$(ENVIRONMENT).enc.env -- \
|
|
'tofu -chdir=infra/main plan \
|
|
-var environment=$(ENVIRONMENT) \
|
|
-var namespace=$(ENVIRONMENT) \
|
|
-var region=$(REGION) \
|
|
$(EXTRA_ARGS)'
|
|
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
|
|
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
|
|
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
|
|
$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)
|
|
|
|
.PHONY: tofu-apply
|
|
tofu-apply: \
|
|
$(TERRAFORM) \
|
|
$(SOPS) \
|
|
infra/main/.terraform
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
|
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
|
|
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
|
env -C infra/main \
|
|
$(TERRAFORM) apply \
|
|
-var environment=$(ENVIRONMENT) \
|
|
-var namespace=$(ENVIRONMENT) \
|
|
-var region=$(REGION) \
|
|
$(EXTRA_ARGS) '
|
|
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
|
|
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
|
|
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
|
|
$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)
|
|
|
|
kustomizations/%/out.yaml: kustomizations/%
|
|
env -C kustomizations/$(TARGET) -- kustomize build --enable-alpha-plugins . > $@
|
|
|
|
.PHONY: k8s-apply
|
|
k8s-apply: kustomizations/$(TARGET)/out.yaml
|
|
sops exec-file --no-fifo "$${HOME}/stack/secrets/production.kubeconfig" "KUBECONFIG={} /usr/bin/kubectl apply -f $<"
|
|
rm $<
|
|
|
|
$(CACHE_DIR)/secrets:
|
|
mkdir -p $@
|
|
|