OVERLAY := $(shell pwd)/overlay
# FILTER := --only 3.15 kubezero --skip aarch64
FILTER := --only 3.15 --skip aarch64
STEP := publish

all: build

build:
	cd alpine-cloud-images && ./build $(STEP) --clean --revise $(FILTER) --custom $(OVERLAY)/zdt --vars $(OVERLAY)/zdt/zdt.hcl

clean:
	rm -rf alpine-cloud-images/work

# Adds all tracked encrypted files to .gitignore as safety net
age-add-gitignore:
	@for f in $$(yq eval .file_ids[] .ageboxreg.yml); do grep -qxF $$f .gitignore || echo $$f >> .gitignore; done

# Decrypts all secrets, which also removes the .agebox files locally and they show as "deleted" for now
# This is a design choice of the agebox devs atm
age-unseal:
	@agebox decrypt --all

# Encrypts all secrets, but compares the local unencrypted files with the decrypted content from the index first
# If there are no diffs, just restore the agebox file from the index and delete the unaltered local unencrypted file
# If there are changes re-encrypt
age-seal:
	@for f in $$(yq eval .file_ids[] .ageboxreg.yml); do git restore $${f}.agebox; agebox cat $$f.agebox | diff - $$f && rm -f $$f || ( rm -f $$f.agebox; agebox encrypt $$f --public-keys .agekeys; ); done