OVERLAY := $(shell pwd)/overlay
ONLY :=
FILTER := --only 3.16 $(ONLY)
STEP := publish

all: build

build:
	cd alpine-cloud-images && ./build $(STEP) --clean --revise $(FILTER) --custom $(OVERLAY)/zdt --vars $(OVERLAY)/zdt/zdt.hcl

clean:
	rm -rf alpine-cloud-images/work

# Adds all tracked encrypted files to .gitignore as safety net
age-add-gitignore:
	@touch .gitignore; for f in $$(yq eval .paths[] .age.yml); do grep -qxF $$f .gitignore || echo $$f >> .gitignore; done

# Decrypts all secrets and deletes encrypted .age
age-unseal:
	@for f in $$(yq eval .paths[] .age.yml); do \
		age --decrypt -i ~/.ssh/git.age -o $$f $$f.age && rm $$f.age; \
	done

# Compares all unencrypted files against last encrypted versions
# If there are no diffs, just restore the .age file from the index and delete the unaltered local unencrypted file
# otherwise re-encrypt and remove clear text
age-seal:
	@keys=$$(yq eval .keys[] .age.yml | sed -e 's/^/-r /' ); \
	for f in $$(yq eval .paths[] .age.yml); do \
		[ -f $$f ] || continue; \
		git restore $${f}.age 2>/dev/null && \
		age --decrypt -i ~/.ssh/git.age $$f.age | diff -q - $$f 2>/dev/null 1>&2 && \
		rm -f $$f || ( rm -f $$f.age; age --encrypt $$keys -o $$f.age $$f && rm -f $$f; ); done

# Just a reference how it could work, requires root though
scan-image:
	modprobe nbd
	qemu-nbd -c /dev/nbd0 --read-only alpine-cloud-images/work/images/aws/3.15.4-x86_64-bios-cloudinit-aws-kubezero/image.qcow2
	mount /dev/nbd0 /mnt/temp/
	trivy rootfs /mnt/temp