97 lines
2.7 KiB
Makefile
97 lines
2.7 KiB
Makefile
# Clavis — build pipeline
|
|
# FIPS 140-3: BoringCrypto via GOEXPERIMENT=boringcrypto
|
|
# Requires Go 1.24+ (verified: go1.24.0)
|
|
#
|
|
# Usage:
|
|
# make deploy — build + test + restart vault
|
|
# make deploy-vault — build + test + restart vault only
|
|
# make cli — build CLI binary
|
|
# make status — check what's running
|
|
|
|
GOEXPERIMENT := boringcrypto
|
|
export GOEXPERIMENT
|
|
|
|
VAULT_DIR := clavis-vault
|
|
CLI_DIR := clavis-cli
|
|
CRYPTO_DIR := clavis-crypto
|
|
|
|
VAULT_BIN := $(VAULT_DIR)/clavitor
|
|
CLI_BIN := $(CLI_DIR)/clavis-cli
|
|
|
|
VAULT_ENTRY := ./cmd/clavitor
|
|
|
|
LDFLAGS := -s -w
|
|
GOFLAGS := -trimpath
|
|
|
|
.PHONY: all vault cli test clean deploy deploy-vault \
|
|
restart restart-vault stop stop-vault status verify-fips
|
|
|
|
# --- build ---
|
|
|
|
all: vault cli
|
|
|
|
vault:
|
|
cp $(CRYPTO_DIR)/*.js $(VAULT_DIR)/cmd/clavitor/web/ 2>/dev/null || true
|
|
sed -i 's/__BUILD_TIME__/$(shell date -u +%Y%m%d-%H%M%S)/' $(VAULT_DIR)/cmd/clavitor/web/index.html 2>/dev/null || true
|
|
cd $(VAULT_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o clavitor $(VAULT_ENTRY)
|
|
@echo "built $(VAULT_BIN) (FIPS)"
|
|
|
|
cli:
|
|
$(MAKE) -C $(CLI_DIR)
|
|
@strip $(CLI_BIN) 2>/dev/null || true
|
|
@echo "built $(CLI_BIN) ($$(wc -c < $(CLI_BIN)) bytes, stripped)"
|
|
|
|
# --- test ---
|
|
|
|
test:
|
|
cd $(VAULT_DIR) && go test ./api/... -v
|
|
|
|
# --- deploy ---
|
|
|
|
deploy: vault cli test verify-fips restart-vault
|
|
@echo "--- deployed ---"
|
|
|
|
deploy-vault: vault test verify-fips restart-vault
|
|
@echo "--- vault deployed ---"
|
|
|
|
# --- verify ---
|
|
|
|
verify-fips: verify-fips-vault
|
|
|
|
verify-fips-vault:
|
|
@go version -m $(VAULT_BIN) | grep -q 'GOEXPERIMENT=boringcrypto' && echo "vault: FIPS 140-3 (BoringCrypto) ✓" || { echo "vault: BoringCrypto NOT linked ✗"; exit 1; }
|
|
|
|
# --- process management ---
|
|
|
|
stop-vault:
|
|
@pkill -f './clavitor$$' 2>/dev/null || pkill -f 'clavis-vault/clavitor$$' 2>/dev/null || true
|
|
@sleep 0.5
|
|
|
|
stop: stop-vault
|
|
|
|
restart-vault: stop-vault
|
|
cd $(VAULT_DIR) && set -a && . ./.env && set +a && nohup ./clavitor > /tmp/clavis-vault.log 2>&1 &
|
|
@sleep 1
|
|
@ss -tlnp | grep -q ':1984' && echo "vault running on :1984 ✓" || { echo "vault failed to start ✗"; cat /tmp/clavis-vault.log; exit 1; }
|
|
|
|
restart: restart-vault
|
|
|
|
status:
|
|
@echo "--- processes ---"
|
|
@ps aux | grep -E '(clavitor|clavis)' | grep -v grep || echo "nothing running"
|
|
@echo "--- ports ---"
|
|
@ss -tlnp | grep -E ':1984' || echo "no vault port open"
|
|
@echo "--- fips ---"
|
|
@go version -m $(VAULT_BIN) 2>/dev/null | grep -q 'GOEXPERIMENT=boringcrypto' && echo "vault: FIPS ✓" || echo "vault: not built or no FIPS"
|
|
|
|
# --- logs ---
|
|
|
|
logs-vault:
|
|
@tail -f /tmp/clavis-vault.log
|
|
|
|
# --- clean ---
|
|
|
|
clean:
|
|
rm -f $(VAULT_BIN)
|
|
-$(MAKE) -C $(CLI_DIR) clean 2>/dev/null || true
|