Init server infrastructure files

1 files changed, 157 insertions, 0 deletions

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..9e55ee8
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,157 @@
+.POSIX:
+NAME         = papo.im
+NAME_UC      = $(NAME)
+URL          = $(NAME)
+TLD          = $(URL)
+LIST         = list@$(URL)
+
+OFFSITE_SSH  = 00000@aa0000.rsync.net
+
+
+
+.SUFFIXES:
+.SUFFIXES: .in .gpg .md .html
+
+.in:
+	sed \
+		-e 's:@OFFSITE_SSH@:$(OFFSITE_SSH):g' \
+		-e 's:@VERSION@:$(VERSION):g'         \
+		-e 's:@DATE@:$(DATE):g'               \
+		-e 's:@NAME@:$(NAME):g'               \
+		-e 's:@LIST@:$(LIST):g'               \
+		-e 's:@URL@:$(URL):g'                 \
+		-e 's:@TLD@:$(TLD):g'                 \
+		< $< > $@
+	if [ -x $< ]; then chmod +x $@; fi
+
+.gpg:
+	gpg -d < $< > $@
+
+.md.html:
+	sh aux/commonmark.sh -N'$(NAME_UC)' -t$(*F) -l en < $< > $@
+
+
+
+prod-secrets.txt.gpg = \
+	src/secrets/borg-passphrase.txt.gpg    \
+	src/secrets/root@$(TLD).id_rsa.txt.gpg \
+
+all-secrets.txt.gpg = \
+	$(prod-secrets.txt.gpg)       \
+	src/secrets/rsync.net.txt.gpg \
+	src/secrets/VPS-root.txt.gpg  \
+
+prod-secrets.txt = $(prod-secrets.txt.gpg:.gpg=)
+all-secrets.txt  =  $(all-secrets.txt.gpg:.gpg=)
+
+
+generated-assets = \
+	tld.txt                            \
+	src/infrastructure/config/conf.env \
+
+derived-assets = \
+	$(generated-assets)         \
+	mkdir-public.sentinel       \
+	system.sentinel             \
+	public                      \
+	aux/preamble.md             \
+	CHANGELOG.html              \
+
+
+
+
+all: $(derived-assets)
+
+gen: $(generated-assets)
+
+$(derived-assets): Makefile
+
+
+tld.txt:
+	echo '$(TLD)' > $@
+
+system.sentinel: src/infrastructure/guix/system.scm tld.txt \
+		src/infrastructure/keys/SSH/root@$(URL).id_rsa.pub.stripped
+	guix build -v3 -f src/infrastructure/guix/system.scm
+	touch $@
+
+.SUFFIXES: .stripped
+src/infrastructure/keys/SSH/root@$(TLD).id_rsa.pub.stripped: \
+		src/infrastructure/keys/SSH/root@$(TLD).id_rsa.pub.txt
+	cut -d' ' -f8- < $*.txt > $@
+
+
+## Run all tests.  Each test suite is isolated, so that a parallel
+## build can run tests at the same time.  The required artifacts
+## are created if required.
+check:
+
+
+clean:
+	rm -rf $(derived-assets) $(all-secrets.txt)
+
+
+mkdir-public.sentinel:
+	mkdir -p public/
+	touch $@
+
+public/CHANGELOG.html: mkdir-public.sentinel CHANGELOG.html
+	cp $(@F) $@
+
+public/TODOs.html:
+public/ci: mkdir-public.sentinel
+	sh src/infrastructure/scripts/report.sh -o $@
+
+
+## Generates the `public/` directory, which contains all static HTML files.
+public: public/CHANGELOG.html public/TODOs.html public/ci
+
+$(all-secrets.txt.gpg):
+	gpg -ae `src/infrastructure/keys/gpg-recipients.sh` < $* > $@
+
+## Import the GPG keys to allow encrypting secrets to them.
+import:
+	sh src/infrastructure/keys/gpg-import.sh
+
+
+## Print the latest 500 lines of the application and keeps tailing it.
+logs:
+	ssh $(TLD) tail -n500 /var/log/$(NAME).log
+
+## Print *all* logs available on the server.
+all-logs:
+	ssh $(TLD) \
+		'gunzip -c /var/log/$(NAME).log.*; cat /var/log/$(NAME).log' | \
+			sort
+
+
+## Decrypt $(prod-secrets.txt) in `src/secrets/` and put them in their
+## correct location in the server.
+upload-secrets: $(prod-secrets.txt)
+	ssh $(TLD) sudo -u secrets-keeper 'rm -f /opt/secrets/*'
+	rsync \
+		--rsync-path='sudo -u secrets-keeper rsync' \
+		--chmod=000                                 \
+		-avzP                                       \
+		$(prod-secrets.txt) $(TLD):/opt/secrets/
+	rm -f $(prod-secrets.txt)
+
+## Generate the `.ssh/authorized_keys` file and upload it to $(OFFSITE_SSH).
+upload-keys:
+	cat src/infrastructure/keys/SSH/*.txt | \
+		ssh $(OFFSITE_SSH) dd of=.ssh/authorized_keys
+
+## Deploy everything that is deployable from the repository when
+## open in the local development machine.
+deploy: upload-secrets upload-keys
+	@printf '\nRunning `git push` to update the deployment.\n'
+	git push
+
+
+MAKEFILE = Makefile
+## Show this help.
+help:
+	cat $(MAKEFILE) | sh aux/makehelp.sh
+
+
+ALWAYS: