server - Setup and configuration for VPS and other personal server

.POSIX:
NAME         = toph
NAME_UC      = $(NAME)
TLD          = euandre.org
OFFSITE_SSH  = zh3051@zh3051.rsync.net
APP          = papod



.SUFFIXES:



all:
include deps.mk


prod-secrets.txt = $(prod-secrets.txt.gpg:.gpg=)
repo-secrets.txt = $(repo-secrets.txt.gpg:.gpg=)


derived-assets = \
	system.scm.sentinel            \
	authorized-keys.txt            \

side-assets = \
	$(prod-secrets.txt)            \
	$(repo-secrets.txt)            \
	system.scm                     \



## Default target.  Builds all artifacts required for testing
## and installation.
all: $(derived-assets)


$(derived-assets): Makefile deps.mk


# Needed by server to reconfigure(8) without running make(1).
config.txt = \
	src/config/tld.txt             \
	src/config/offsite-ssh.txt     \
	src/config/root-pubkey.txt     \

$(config.txt): Makefile

src/config/tld.txt:
	echo '$(TLD)' | ifnew $@

src/config/offsite-ssh.txt:
	echo '$(OFFSITE_SSH)' | ifnew $@

src/config/root-pubkey.txt: src/keys/SSH/root@$(TLD).id_rsa.pub.txt
	cut -d' ' -f8- < src/keys/SSH/root@$(TLD).id_rsa.pub.txt > $@

system.scm.sentinel: src/guix/system.scm $(config.txt)
	rm -f system.scm*
	guix build -v3 -r system.scm -Kf src/guix/system.scm
	touch $@

authorized-keys.txt: $(keys.txt)
	find src/keys/SSH/*.txt | LANG=POSIX.UTF-8 sort | xargs cat > $@



check-unit:


integration-tests = \

$(integration-tests): ALWAYS
	sh $@

check-integration: $(integration-tests)


## Run all tests.  Each test suite is isolated, so that a parallel
## build can run tests at the same time.  The required artifacts
## are created if missing.
check: check-unit check-integration



## Remove *all* derived artifacts produced during the build.
## A dedicated test asserts that this is always true.
clean:
	rm -rf $(derived-assets) $(side-assets)



.SUFFIXES: .gpg
.gpg:
	gpg -qd < $< > $@

$(all-secrets.txt.gpg):
	gpg -aer eu@euandre.org < $* > $@


## Prints the latest 500 lines of the application and keeps tailing it.
logs:
	ssh $(TLD) tail -fn500 /var/log/$(APP)/$(APP).log

## Print *all* logs available on the server.
all-logs:
	ssh $(TLD) 'nicely cat /var/log/$(APP)/$(APP).log.* && \
		nicely gzip -c /var/log/$(APP)/$(APP).log' | gunzip


## Decrypt $(prod-secrets.txt) in `src/secrets/` and put them in their
## correct location in the server.
upload-secrets: $(prod-secrets.txt)
	ssh $(TLD) sudo -u secrets-keeper 'rm -f /opt/secrets/*'
	rsync \
		--rsync-path='sudo -u secrets-keeper rsync' \
		--chmod=000                                 \
		-avzP                                       \
		$(prod-secrets.txt) $(TLD):/opt/secrets/


## Upload the generated "authorized-keys.txt" file to
## ".ssh/authorized_keys" in $(OFFSITE_SSH).
upload-keys: authorized-keys.txt
	cat authorized-keys.txt | \
		ssh $(OFFSITE_SSH) dd of=.ssh/authorized_keys


ALWAYS: