nixos-config/Makefile

export MAKEFLAGS :=

all:
	@echo 'no default action, available actions:'
	@for n in check-git-history build build-tag build-all deploy-full \
		deploy-full-tag upload-secrets upload-secrets-tag upload-secrets-all \
		setup-git-hooks; do echo "  - $$n"; done
	@echo
	@exit 1

check-git-history:
	f() { \
		local result=0; \
		local ret; \
		for h in $$(git log --format=%h | tac); do \
			git verify-commit --raw $$h 2>&1 | grep -qP '^\[GNUPG:\] VALIDSIG (\S+ )+9C561D6430B28D6BDCBC9CEB73D5E7FDEE3DE49A$$'; \
			ret=$$?; \
			if [ $$ret -ne 0 ]; then \
				echo "[!] found unsigned commit: $$h"; \
				result=1; \
			fi; \
		done; \
		exit $$result; \
	}; f

build:
	@if [ -z "$(M)" ]; then echo 'no machine specified using M=' 2>&1; exit 1; fi
	morph build --on '$(M)' ./default.nix

build-tag:
	@if [ -z "$(T)" ]; then echo 'no tag specified using T=' 2>&1; exit 1; fi
	morph build --tagged '$(T)' ./default.nix

build-all:
	morph build ./default.nix

deploy-full:
	@if [ -z "$(M)" ]; then echo 'no machine specified using M=' 2>&1; exit 1; fi
	morph deploy --passwd --upload-secrets --on '$(M)' ./default.nix switch

deploy-full-tag:
	@if [ -z "$(M)" ]; then echo 'no tag specified using T=' 2>&1; exit 1; fi
	morph deploy --passwd --upload-secrets --tagged '$(T)' ./default.nix switch

upload-secrets:
	@if [ -z "$(M)" ]; then echo 'no machine specified using M=' 2>&1; exit 1; fi
	morph upload-secrets --passwd --on '$(M)' ./default.nix

upload-secrets-tag:
	@if [ -z "$(M)" ]; then echo 'no tag specified using T=' 2>&1; exit 1; fi
	morph upload-secrets --passwd --tagged '$(T)' ./default.nix

upload-secrets-all:
	morph upload-secrets --passwd ./default.nix

setup-git-hooks:
	echo -e '#!/usr/bin/env sh\nmake check-git-history && exec nix flake check' >.git/hooks/pre-commit
	chmod +x .git/hooks/pre-commit

empty-out-secrets:
	for f in $$(find secrets -type f -name '*.nix'); do echo '{ }' > $$f; done