host-git/Makefile

# Private Forgejo instance for managing/automating Auengun.net
# Source available at git.auengun.net/homelab/host-git
# Copyright (C) 2024  GregoryDosh

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2024 GregoryDosh

# Avoid Noisey Directory Messages
MAKEFLAGS += --no-print-directory

####################
# Renovate Managed #
####################
# renovate: datasource=docker depName=codeberg.org/forgejo/forgejo versioning=loose
export FORGEJO_VERSION=13.0.2-rootless

# renovate: datasource=docker depName=docker.io/library/postgres versioning=docker
export POSTGRES_VERSION=16@sha256:4eb532412200f7fbbf15d62ee0d96e020a9eae9eaed76066692474a7371c4d83

# renovate: datasource=docker depName=redis versioning=docker
export REDIS_VERSION=8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd

# My homelab pulls secrets from an internal secrets provider
# called Infisical. A while ago I was using it as an ansible
# library which used a python client. It was fragile and their
# update cadence was out of step which lead to breaking changes.
#
# In corporate environments I've seen a number of different
# deployed solutions that aim to "solve" the problem of developer
# consumption of secrets and configuration. Custom built or vendor.
# They all sort of run into a problem when you need to change
# them for some reason or another.
#
# I recommend using whatever provider your environment supports
# and then ingesting secrets/configuration through environmental
# variables or files where appropriate. Decouple the app secrets
# and config from the provider and the consumer through the
# common "API" of the file system and shell environment.
export INFISICAL_API_URL=https://infisical.auengun.net/api
export INFISICAL_PATH=/$(shell basename `pwd` | cut -f1 -d"-")/$(shell basename `pwd` | cut -f2- -d"-")
export INFISICAL_TOKEN=$(shell infisical --telemetry=false --domain=${INFISICAL_API_URL} login --method=universal-auth --client-id=${INFISICAL_CLIENT_ID} --client-secret=${INFISICAL_CLIENT_SECRET} --silent --plain)

# The ansible playbooks seem to have an issue on Darwin (Apple) systems
# and this is the common fix I'd seen to get past misc errors that were showing.
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES

# Validate all files in this repo contain a valid license/copywrite header.
# This is what is consuming all of those  xtra `.license` files sitting around.
.PHONY: license-check
license-check:
	@echo # REUSE License Checking...
	@reuse lint

# A lil sanity check of whats saved/stored or whatever an app is seeing.
.PHONY: print-env
print-env:
	# Intentionally echoing back to the terminal the PATH so I can copy & paste
	# easier if needed. It's a debug/dev convenience feature mostly.
	@echo export INFISICAL_PATH=$$INFISICAL_PATH
	@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="env -0 | sort -z | tr '\0' '\n'"

# A way of setting up the local (or CI) environment with the needed
.PHONY: install-deps
install-deps:
	@echo Installing Dependencies

	########################
	# Ansible Dependencies #
	########################
	# Ansible is what currently runs the commands necessary to mutate a running
	# physical/virtual machine into a "reliably" consistent state. Or at least something
	# we can more resonably reason with. Mileage out on if it's good. TODO: Nix/GUIX!
	#
	# Ansible doesn't do much for deps but there is a `ansible-galaxy` bin which is
	# needed to install ansible roles/collections from the `requirements.yml` file.
	# The bin is installed in the Forgejo runner image and installed manually local environments.
	#
	# I've iterated on roles & collections and right now I'm pulling everything I need from
	# some instances of this workflow that do or don't have them. I've just kept
	# the workflow generic enough to use "as-is" if I'm not using distinct roles/collections here.
	ansible-galaxy collection install -r requirements.yml --force

.PHONY: grype
grype:
	@echo Checking for CVEs with Grype...
	@bash -c '\
		EXIT_STATUS=0;\
		\
		echo "...codeberg.org/forgejo/forgejo:$$FORGEJO_VERSION";\
		grype --fail-on critical --platform linux/amd64 codeberg.org/forgejo/forgejo:$$FORGEJO_VERSION -o table;\
		if [ $$? -ne 0 ]; then EXIT_STATUS=1; fi;\
		\
		echo ""; \
		\
		echo "...docker.io/library/postgres:$$POSTGRES_VERSION";\
		grype --fail-on critical --platform linux/amd64 docker.io/library/postgres:$$POSTGRES_VERSION -o table;\
		if [ $$? -ne 0 ]; then EXIT_STATUS=2; fi;\
		\
		echo ""; \
		\
		echo "...redis:$$REDIS_VERSION";\
		grype --fail-on critical --platform linux/amd64 redis:$$REDIS_VERSION -o table;\
		if [ $$? -ne 0 ]; then EXIT_STATUS=2; fi;\
		\
		exit $$EXIT_STATUS;\
	'

# This contains the order of all the various subtasks to execute to piece together a cohesive
# flow in both local environments and CI like Forgejo. Leveraging a lot of the existing tooling
# to make this "easier" through a lot of existing tooling makes bootstrapping harder, but maintaining
# in the long run easier. Iterate and add things as ya go.
.PHONY: ansible-pipeline
ansible-pipeline:
	make install-deps caddy homelab-common forgejo

# This is a way to validate locally, in CI, or really wherever that the versions in the Makefile above
# are still valid and can be pulled correctly. Good sanity check before doing a full deploy when hosts
# will need the images in case of update/restart.
.PHONY: pull-image
pull-image:
	@docker pull --platform linux/amd64 codeberg.org/forgejo/forgejo:$$FORGEJO_VERSION
	@docker pull --platform linux/amd64 docker.io/library/postgres:$$POSTGRES_VERSION
	@docker pull --platform linux/amd64 redis:$$REDIS_VERSION

# Auengun.net infrastructure uses Caddy for most of the reverse proxying duties required. This role
# will install the Caddy binary that is built by *this* instance. So bootstrap issues aside, this
# role in other parts of Auengun.net allows for a common known version w/ custom plugins like rate limiting
# and a web access firewall and other non-standard Caddy features.
.PHONY: caddy
caddy:
	@echo export INFISICAL_PATH=$$INFISICAL_PATH
	@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="ansible-playbook -i hosts ansible-pipeline.yml --tags=caddy"

# This takes care of the most standard Auengun.net infrastructure related tasks, such as setting up the PKI,
# logging & telemetry, and other miscelanous host related setup tasks.
.PHONY: homelab-common
homelab-common:
	@echo export INFISICAL_PATH=$$INFISICAL_PATH
	@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="ansible-playbook -i hosts ansible-pipeline.yml --tags=homelab-common"

# This is the host specific tasks that'll take care of installing Forgejo and any supplimental shims,
# like the `forgjejo.ini` and `docker-compose.yml` files as well as the ssh shim.
.PHONY: forgejo
forgejo:
	@echo export INFISICAL_PATH=$$INFISICAL_PATH
	@infisical --telemetry=false run --projectId $$INFISICAL_PROJECT_ID --path=$$INFISICAL_PATH --command="ansible-playbook -i hosts ansible-pipeline.yml --tags=forgejo"