diff options
Diffstat (limited to 'Makefile')
-rw-r--r-- | Makefile | 126 |
1 files changed, 77 insertions, 49 deletions
@@ -1,49 +1,77 @@ -SHELL=/bin/bash -# The git user home, from where repos are served -PREFIX=/srv/git -# The git user -USER=git -# The git-shell path -GIT_SHELL=/usr/bin/git-shell -# The hacking.git clone -HACKERS=$(shell pwd) - -# Add all of your pubkeys -# TODO this can fail if you don't have any keys (why don't you) -bootstrap: - cat $(HOME)/.ssh/id_{rsa,ecdsa,dsa}.pub >>authorized_keys 2>/dev/null || true - git commit authorized_keys -m "Bootstraping hacking.git" ; \ - -# Create the user -user: - useradd --home $(PREFIX) \ - --shell $(GIT_SHELL) \ - --create-home \ - --system \ - --user-group \ - $(USER) - -# Check if we have at least a key -check: - if [ $(shell wc -l authorized_keys | cut -d' ' -f1) -eq 0 ]; then \ - echo 'Add at least your key to authorized_keys!'; \ - exit 1 ;\ - fi - -# Add the hackers repo to the local clone -install-local: - git remote add git git:hackers.git - cat ssh_config >>$(HOME)/.ssh/config - -# Create the hackers.git bare repo and clone as .ssh -# Then create needed symlinks and add hooks to hackers.git -install: check - cd $(PREFIX); \ - git clone --bare $(HACKERS) hackers.git && \ - git clone hackers.git .ssh && \ - chmod 700 $(PREFIX) && \ - chmod 700 .ssh && \ - chmod 600 .ssh/authorized_keys && \ - ln -s $(PREFIX)/.ssh/git-hooks/hackers-update hackers.git/hooks/post-receive && \ - ln -s $(PREFIX)/.ssh/git-shell-commands && \ - chown -R $(USER):$(USER) $(PREFIX) +export LANG=C +export SHELL=/bin/bash + +KEYSERVER = hkp://pool.sks-keyservers.net +GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir output/cache/pacman-keyring/gpghome +MKDIRS = mkdir -p +FAIL = exit 1 + +keyring_name = parabola + +all: PHONY pacman-keyring + +clean: PHONY + rm -rf output/cache + +#### + +pacman-keyring: PHONY \ + output/pacman-keyring/${keyring_name}.gpg \ + output/pacman-keyring/${keyring_name}-trusted \ + output/pacman-keyring/${keyring_name}-revoked + +# Assemble the list of .asc files needed to generate the keyring +output/cache/pacman-keyring/deps.mk: hackers.yml bin/list-pgp-keyids + $(MKDIRS) ${@D} + { \ + echo output/pacman-keyring/${keyring_name}.gpg: $$(bin/list-pgp-keyids | sed -r 's|(\S+) .*|output/cache/pacman-keyring/keys/\1.asc|') && \ + echo output/cache/pacman-keyring/stamp.ownertrust: $$(bin/list-pgp-keyids | sed -rn 's|^(trusted/\S+) .*|output/cache/pacman-keyring/keys/\1.asc|p') && \ + :; }> $@ +-include output/cache/pacman-keyring/deps.mk + +output/cache/pacman-keyring/stamp.gpg-init: gpg-init.txt + ${MKDIRS} ${@D} output/cache/pacman-keyring/gpghome + ${GPG} --gen-key < $< + touch $@ +output/cache/pacman-keyring/stamp.ownertrust: output/pacman-keyring/${keyring_name}-trusted output/cache/pacman-keyring/deps.mk + ${MKDIRS} ${@D} + ${GPG} --import-ownertrust < $< 2>/dev/null + touch $@ + +output/pacman-keyring/${keyring_name}.gpg: output/cache/pacman-keyring/deps.mk + $(MKDIRS) ${@D} + cat $(filter %.asc,$^) > $@ +output/pacman-keyring/${keyring_name}-trusted: hackers.yml bin/list-pgp-keyids + $(MKDIRS) ${@D} + bin/list-pgp-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@ +output/pacman-keyring/${keyring_name}-revoked: hackers.yml bin/list-pgp-keyids + $(MKDIRS) ${@D} + bin/list-pgp-keyids | sed -rn 's|^revoked/\S+ ||p' > $@ + +# These 3 rules are mostly straight from "archlinux-keyring.git/update-keys" +keyid=$$(bin/get-pgp-keyid $*) +output/cache/pacman-keyring/keys/trusted/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.gpg-init + ${MKDIRS} ${@D} + ${GPG} --recv-keys ${keyid} &>/dev/null + printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} + #${GPG} --yes --lsign-key ${keyid} &>/dev/null + printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid} &>/dev/null + ${GPG} --armor --no-emit-version --export ${keyid} > $@ +output/cache/pacman-keyring/keys/secondary/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.ownertrust + ${MKDIRS} ${@D} + ${GPG} --recv-keys ${keyid} &>/dev/null + printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} + ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it is trusted + ${GPG} --armor --no-emit-version --export ${keyid} > $@ +output/cache/pacman-keyring/keys/revoked/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.ownertrust + ${MKDIRS} ${@D} + ${GPG} --recv-keys ${keyid} &>/dev/null + printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} + ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it's not trusted + ${GPG} --armor --no-emit-version --export ${keyid} > $@ + +#### + +.PHONY: PHONY +.SECONDARY: +.DELETE_ON_ERROR: |