blob: 66993db04c08c218ffb45c2910ae7f9fb0f2c50a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
.POSIX:
NAME = server
NAME_UC = $(NAME)
## Installation prefix. Defaults to "/usr".
PREFIX = /usr
SHAREDIR = $(PREFIX)/share
DOCDIR = $(SHAREDIR)/doc/$(NAME)
## Where to store the installation. Empty by default.
DESTDIR =
TLD = $(URL)
OFFSITE_SSH = 00000@aa0000.rsync.net
.SUFFIXES:
.SUFFIXES: .in .gpg
.in:
sed \
-e 's:@OFFSITE_SSH@:$(OFFSITE_SSH):g' \
-e 's:@VERSION@:$(VERSION):g' \
-e 's:@DATE@:$(DATE):g' \
-e 's:@NAME@:$(NAME):g' \
-e 's:@LIST@:$(LIST):g' \
-e 's:@URL@:$(URL):g' \
-e 's:@TLD@:$(TLD):g' \
< $< > $@
if [ -x $< ]; then chmod +x $@; fi
all:
include deps.mk
prod-secrets.txt = $(prod-secrets.txt.gpg:.gpg=)
repo-secrets.txt = $(repo-secrets.txt.gpg:.gpg=)
derived-assets = \
side-assets = \
$(prod-secrets.txt) \
$(repo-secrets.txt) \
packages \
system \
## Default target. Builds all artifacts required for testing
## and installation.
all: $(derived-assets)
$(derived-assets) src/config/conf.env: Makefile
src/config/tld.txt: Makefile
echo '$(TLD)' > $@
packages system: src/guix/packages.scm src/guix/system.scm
rm -f $@
guix build -r $@ -v3 -Kf src/guix/$@.scm
.SUFFIXES: .stripped
src/keys/SSH/root@$(TLD).id_rsa.pub.stripped: \
src/keys/SSH/root@$(TLD).id_rsa.pub.txt
cut -d' ' -f8- < $*.txt > $@
check-unit:
check-integration:
## Run all tests. Each test suite is isolated, so that a parallel
## build can run tests at the same time. The required artifacts
## are created if required.
check: check-unit check-integration
clean:
rm -rf $(derived-assets) $(side-assets)
install: all
mkdir -p \
'$(DESTDIR)$(DOCDIR)'
cp -R src/web/* '$(DESTDIR)$(DOCDIR)'
$(all-secrets.txt.gpg):
gpg -ae `src/keys/gpg-recipients.sh` < $* > $@
## Print the latest 500 lines of the application and keeps tailing it.
logs:
ssh $(TLD) tail -fn500 /var/log/$(NAME).log
## Print *all* logs available on the server.
all-logs:
ssh $(TLD) 'nicely cat /var/log/$(NAME).log.* && \
nicely gzip -c /var/log/$(NAME).log' | gunzip
## Decrypt $(prod-secrets.txt) in `src/secrets/` and put them in their
## correct location in the server.
upload-secrets: $(prod-secrets.txt)
ssh $(TLD) sudo -u secrets-keeper 'rm -f /opt/secrets/*'
rsync \
--rsync-path='sudo -u secrets-keeper rsync' \
--chmod=000 \
-avzP \
$(prod-secrets.txt) $(TLD):/opt/secrets/
## Generate the ".ssh/authorized_keys" file and upload
## it to $(OFFSITE_SSH).
upload-keys:
find src/keys/SSH/*.txt | \
LANG=POSIX.UTF-8 sort | \
xargs cat | \
ssh $(OFFSITE_SSH) dd of=.ssh/authorized_keys
ALWAYS:
|
