# Note: Decryption MUST reset the mod time to avoid encryption/decryption loops
# Encrypt if:
# - Both files exist, local is newer than remote
# - Only local exists
define maybe_encrypt_secret
	test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \
		\( -f $(1) -a ! -f $(2) \) && \
		$(SOPS) --encrypt $(1) > $(2) || true
endef

# Only decrypt when local files don't exist
# Unfortunately, this means we can't decrypt if the secrets update. We can't
# do that because otherwise it creates a loop. The secrets update, therefore we
# decrypt secrets, but because the modtime of the decrypted secrets is newer
# than the encrypted secrets, we want to reencrypt encrypted secrets.
define maybe_decrypt_secret
	test -f $(1) -a ! -f $(2) && \
		mkdir -p `dirname $(2)` && \
		$(SOPS) --decrypt $(1) > $(2) && \
		touch -d 1970-01-01 $(2) || \
		true
endef

define run-container
	docker run -it $(1) \
		-v $$PWD/.bashrc:/home/user/.bashrc:ro \
		-v $(shell gpgconf --list-dirs socketdir)/:/run/user/1000/gnupg/:ro \
		-v $(shell gpgconf --list-dirs homedir):/home/user/.gnupg:rw \
		-e SSH_AUTH_SOCK=/run/user/1000/gnupg/$(shell basename $(shell gpgconf --list-dirs agent-ssh-socket)) \
		--entrypoint $(3) \
		$(2)
endef

define build-container
	mkdir -p out/image/$(1)
	SOURCE_DATE_EPOCH=$(4) docker \
		buildx \
		build \
		--tag $(REGISTRY)/$(1):$(2) \
		--output \
			name=$(1),type=oci,rewrite-timestamp=true,force-compression=true,annotation.org.opencontainers.image.revision=$(5),annotation.org.opencontainers.image.version=$(2),tar=true,dest=- \
		$(EXTRA_ARGS) \
		$(NOCACHE_FLAG) \
		$(CHECK_FLAG) \
		--platform=$(PLATFORM) \
		--progress=$(PROGRESS) \
		-f $(3) \
		$(dir $3) \
		| tar -C out/image/$(1) -mx
endef