blob: a93039b84ab444271c08cacf3ba3393d1ef5d86d (
about) (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
.POSIX:
NAME = toph
NAME_UC = $(NAME)
TLD = euandre.org
OFFSITE_SSH = zh3051@zh3051.rsync.net
APP = papod
.SUFFIXES:
all:
include deps.mk
prod-secrets.txt = $(prod-secrets.txt.gpg:.gpg=)
repo-secrets.txt = $(repo-secrets.txt.gpg:.gpg=)
derived-assets = \
system.scm.sentinel \
authorized-keys.txt \
side-assets = \
$(prod-secrets.txt) \
$(repo-secrets.txt) \
system.scm \
## Default target. Builds all artifacts required for testing
## and installation.
all: $(derived-assets)
$(derived-assets): Makefile deps.mk
# Needed by server to reconfigure(8) without running make(1).
config.txt = \
src/config/tld.txt \
src/config/offsite-ssh.txt \
src/config/root-pubkey.txt \
$(config.txt): Makefile
src/config/tld.txt:
echo '$(TLD)' | ifnew $@
src/config/offsite-ssh.txt:
echo '$(OFFSITE_SSH)' | ifnew $@
src/config/root-pubkey.txt: src/keys/SSH/root@$(TLD).id_rsa.pub.txt
cut -d' ' -f8- < src/keys/SSH/root@$(TLD).id_rsa.pub.txt > $@
system.scm.sentinel: src/guix/system.scm $(config.txt)
rm -f system.scm*
guix build -v3 -r system.scm -Kf src/guix/system.scm
touch $@
authorized-keys.txt: $(keys.txt)
find src/keys/SSH/*.txt | LANG=POSIX.UTF-8 sort | xargs cat > $@
check-unit:
integration-tests = \
$(integration-tests): ALWAYS
sh $@
check-integration: $(integration-tests)
## Run all tests. Each test suite is isolated, so that a parallel
## build can run tests at the same time. The required artifacts
## are created if missing.
check: check-unit check-integration
## Remove *all* derived artifacts produced during the build.
## A dedicated test asserts that this is always true.
clean:
rm -rf $(derived-assets) $(side-assets)
.SUFFIXES: .gpg
.gpg:
gpg -qd < $< > $@
$(all-secrets.txt.gpg):
gpg -aer eu@euandre.org < $* > $@
## Prints the latest 500 lines of the application and keeps tailing it.
logs:
ssh $(TLD) tail -fn500 /var/log/$(APP)/$(APP).log
## Print *all* logs available on the server.
all-logs:
ssh $(TLD) 'nicely cat /var/log/$(APP)/$(APP).log.* && \
nicely gzip -c /var/log/$(APP)/$(APP).log' | gunzip
## Decrypt $(prod-secrets.txt) in `src/secrets/` and put them in their
## correct location in the server.
upload-secrets: $(prod-secrets.txt)
ssh $(TLD) sudo -u secrets-keeper 'rm -f /opt/secrets/*'
rsync \
--rsync-path='sudo -u secrets-keeper rsync' \
--chmod=000 \
-avzP \
$(prod-secrets.txt) $(TLD):/opt/secrets/
## Upload the generated "authorized-keys.txt" file to
## ".ssh/authorized_keys" in $(OFFSITE_SSH).
upload-keys: authorized-keys.txt
cat authorized-keys.txt | \
ssh $(OFFSITE_SSH) dd of=.ssh/authorized_keys
ALWAYS:
|
