.POSIX:



all: result


result: ALWAYS
	rm -f result-next
	guix system -v3 -r result-next build src/infrastructure/guix/system.scm
	rm -f result
	mv result-next result


check:

clean:
	rm -rf \
		src/secrets/*.txt src/infrastructure/keys/SSH/*.stripped       \
		result result-next                                             \


public:


prod-secrets.txt.gpg = \
	src/secrets/borg-passphrase.txt.gpg \
	src/secrets/root@euandre.org.id_rsa.txt.gpg
prod-secrets.txt = $(prod-secrets.txt.gpg:.gpg=)

repo-secrets = \
	$(prod-secrets.txt.gpg)                    \




.SUFFIXES: .gpg

.gpg:
	gpg -d < $< > $@

$(repo-secrets):
	gpg -aer eu@euandre.org < $(@D)/`basename $@ .gpg` > $@


public-ssh = src/infrastructure/keys/SSH/root@euandre.org.id_rsa.pub
$(public-ssh).stripped: $(public-ssh).txt
	cut -d' ' -f6- < $(public-ssh).txt > $@


upload-secrets: $(prod-secrets.txt) $(public-ssh).stripped
	ssh euandre.org sudo -u secrets-keeper 'rm -f /opt/secrets/*'
	rsync \
		--rsync-path='sudo -u secrets-keeper rsync' \
		--chmod=000                                 \
		-avzP                                       \
		$(prod-secrets.txt) $(public-ssh).stripped euandre.org:/opt/secrets/


## Generate the ".ssh/authorized_keys" file and upload
## it to rsync.net.
upload-keys:
	cat src/infrastructure/keys/SSH/*.txt | ssh suyin dd of=.ssh/authorized_keys


ALWAYS: