# Push to main → rsync this repo into arkieproject/backend on ark-library-backend-1, rebuild api.
#
# Gitea repo secrets (Settings → Actions → Secrets):
#   DEPLOY_SSH_KEY   — PEM private key for ec2-user@ark-library-backend-1 (no passphrase)
#
# Optional secrets (override defaults):
#   DEPLOY_HOST      — SSH host (default ark-library-backend-1; use IP/hostname if the runner has no ~/.ssh/config alias)
#   DEPLOY_USER      — default ec2-user
#   REMOTE_REPO      — default /home/ec2-user/arkieproject
#
# Runner must reach the host (Tailscale, VPC, or public IP). Add the matching public key to authorized_keys on the server.

name: Deploy API

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
  DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
  REMOTE_REPO: ${{ secrets.REMOTE_REPO }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Resolve deploy target
        run: |
          echo "DEPLOY_HOST=${DEPLOY_HOST:-ark-library-backend-1}" >> "$GITHUB_ENV"
          echo "DEPLOY_USER=${DEPLOY_USER:-ec2-user}" >> "$GITHUB_ENV"
          echo "REMOTE_REPO=${REMOTE_REPO:-/home/ec2-user/arkieproject}" >> "$GITHUB_ENV"

      - name: Configure SSH
        env:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          if [[ -z "${DEPLOY_SSH_KEY}" ]]; then
            echo "Missing repository secret DEPLOY_SSH_KEY" >&2
            exit 1
          fi
          install -d -m 700 ~/.ssh
          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true

      - name: Rsync backend sources
        run: |
          REMOTE_BACKEND="${REMOTE_REPO}/backend/"
          rsync -avz --delete \
            --exclude '.git' \
            --exclude 'uploads' \
            --exclude '.env' \
            --exclude '.env.*' \
            --exclude '.DS_Store' \
            -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=30" \
            ./ "${DEPLOY_USER}@${DEPLOY_HOST}:${REMOTE_BACKEND}"

      - name: Rebuild and restart API container
        run: |
          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=30 \
            "${DEPLOY_USER}@${DEPLOY_HOST}" bash -s <<REMOTE
          set -euo pipefail
          cd "${REMOTE_REPO}"
          if [[ ! -f .env ]]; then
            echo "Missing ${REMOTE_REPO}/.env on server — bootstrap with deploy/sync-admin.sh first." >&2
            exit 1
          fi
          DC='sudo docker compose -f deploy/docker-compose.admin.yml --env-file .env'
          \${DC} build api
          \${DC} up -d --no-deps api
          \${DC} ps api
          REMOTE