blob: eb2cc2e4691c8675e064a8fa90fd599e88d0cf08 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
.POSIX:
NAME = asami
NAME_UC = $(NAME)
TLD = papo.im
OFFSITE_SSH = zh4539@zh4539.rsync.net
APP = papod
.SUFFIXES:
all:
include deps.mk
prod-secrets.txt = $(prod-secrets.txt.gpg:.gpg=)
repo-secrets.txt = $(repo-secrets.txt.gpg:.gpg=)
derived-assets = \
system.scm.sentinel \
side-assets = \
$(prod-secrets.txt) \
$(repo-secrets.txt) \
system.scm \
## Default target. Builds all artifacts required for testing
## and installation.
all: $(derived-assets)
$(derived-assets): Makefile
# Needed by server to reconfigure(8) without running make(1).
config.txt = \
src/config/tld.txt \
src/config/offsite-ssh.txt \
src/config/root-pubkey.txt \
$(config.txt): Makefile
src/config/tld.txt:
echo '$(TLD)' | ifnew $@
src/config/offsite-ssh.txt:
echo '$(OFFSITE_SSH)' | ifnew $@
src/config/root-pubkey.txt: src/keys/SSH/root@$(TLD).id_rsa.pub.txt
cut -d' ' -f8- < src/keys/SSH/root@$(TLD).id_rsa.pub.txt > $@
system.scm.sentinel: src/guix/system.scm $(config.txt)
rm -f system.scm*
guix build -v3 -r system.scm -Kf src/guix/system.scm
touch $@
check-unit:
integration-tests = \
$(integration-tests): ALWAYS
sh $@
check-integration: $(integration-tests)
## Run all tests. Each test suite is isolated, so that a parallel
## build can run tests at the same time. The required artifacts
## are created if missing.
check: check-unit check-integration
## Remove *all* derived artifacts produced during the build.
## A dedicated test asserts that this is always true.
clean:
rm -rf $(derived-assets) $(side-assets)
.SUFFIXES: .gpg
.gpg:
gpg -qd < $< > $@
$(all-secrets.txt.gpg):
gpg -aer eu@euandre.org < $* > $@
## Prints the latest 500 lines of the application and keeps tailing it.
logs:
ssh $(TLD) tail -fn500 /var/log/$(APP)/$(APP).log
## Print *all* logs available on the server.
all-logs:
ssh $(TLD) 'nicely cat /var/log/$(APP)/$(APP).log.* && \
nicely gzip -c /var/log/$(APP)/$(APP).log' | gunzip
## Decrypt $(prod-secrets.txt) in `src/secrets/` and put them in their
## correct location in the server.
upload-secrets: $(prod-secrets.txt)
ssh $(TLD) sudo -u secrets-keeper 'rm -f /opt/secrets/*'
rsync \
--rsync-path='sudo -u secrets-keeper rsync' \
--chmod=000 \
-avzP \
$(prod-secrets.txt) $(TLD):/opt/secrets/
## Generate the ".ssh/authorized_keys" file and upload
## it to $(OFFSITE_SSH).
upload-keys:
find src/keys/SSH/*.txt | \
LANG=POSIX.UTF-8 sort | \
xargs cat | \
ssh $(OFFSITE_SSH) dd of=.ssh/authorized_keys
## Update SHAs under src/versions/*.txt
update:
sh src/versions/update.sh
ALWAYS:
|
