# Push to main → scp backend sources to API host, rebuild api container.
#
# ark-library-backend-1 is a *local* SSH alias only. The act runner cannot resolve it.
# Default host is the Tailscale IP from ~/.ssh/config (Host ark-library-backend-1 → 100.93.205.19).
# The Gitea act runner must be on the same Tailscale tailnet, OR set secret DEPLOY_HOST to a reachable IP/DNS.
#
# Secrets (Settings → Actions → Secrets):
#   DEPLOY_SSH_KEY   — required: ark-library.pem contents (ec2-user, no passphrase)
#   DEPLOY_HOST      — optional: override default 100.93.205.19
#   DEPLOY_USER      — optional: default ec2-user
#   REMOTE_REPO      — optional: default /home/ec2-user/arkieproject

name: Deploy API

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
  DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
  REMOTE_REPO: ${{ secrets.REMOTE_REPO }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Resolve deploy target
        run: |
          # Tailscale IP for ark-library-backend-1 (see ~/.ssh/config on dev machine)
          host="${DEPLOY_HOST:-100.93.205.19}"
          repo="${REMOTE_REPO:-/home/ec2-user/arkieproject}"
          echo "DEPLOY_HOST=${host}" >> "$GITHUB_ENV"
          echo "DEPLOY_USER=${DEPLOY_USER:-ec2-user}" >> "$GITHUB_ENV"
          echo "REMOTE_REPO=${repo}" >> "$GITHUB_ENV"
          echo "REMOTE_BACKEND=${repo}/backend" >> "$GITHUB_ENV"

      - name: Configure SSH
        env:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          if [[ -z "${DEPLOY_SSH_KEY}" ]]; then
            echo "Missing repository secret DEPLOY_SSH_KEY" >&2
            exit 1
          fi
          install -d -m 700 ~/.ssh
          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          {
            echo "Host deploy-target"
            echo "  HostName ${DEPLOY_HOST}"
            echo "  User ${DEPLOY_USER}"
            echo "  IdentityFile ~/.ssh/deploy_key"
            echo "  StrictHostKeyChecking accept-new"
            echo "  ConnectTimeout 30"
          } >> ~/.ssh/config
          chmod 600 ~/.ssh/config
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true

      - name: Verify SSH reachability
        run: |
          echo "Testing SSH to ${DEPLOY_USER}@${DEPLOY_HOST} ..."
          if ! ssh -o BatchMode=yes -o ConnectTimeout=15 deploy-target "echo ok" 2>&1; then
            echo "::error::Cannot SSH to ${DEPLOY_HOST}. The act runner must reach this host (same Tailscale tailnet, or set DEPLOY_HOST secret to a public IP/DNS). Local alias ark-library-backend-1 does not work on CI."
            exit 1
          fi

      - name: Package backend sources
        run: |
          tar czf /tmp/backend-deploy.tar.gz \
            --exclude='./.git' \
            --exclude='./uploads' \
            --exclude='./.env' \
            --exclude='./.env.*' \
            --exclude='./.DS_Store' \
            --exclude='./.gitea' \
            -C . .

      - name: Deploy backend sources (scp)
        run: |
          scp -o ConnectTimeout=30 /tmp/backend-deploy.tar.gz deploy-target:/tmp/backend-deploy.tar.gz
          ssh deploy-target bash -s <<REMOTE
          set -euo pipefail
          REMOTE_BACKEND="${REMOTE_BACKEND}"
          mkdir -p "\${REMOTE_BACKEND}"
          find "\${REMOTE_BACKEND}" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
          tar xzf /tmp/backend-deploy.tar.gz -C "\${REMOTE_BACKEND}"
          rm -f /tmp/backend-deploy.tar.gz
          REMOTE

      - name: Rebuild and restart API container
        run: |
          ssh deploy-target bash -s <<REMOTE
          set -euo pipefail
          cd "${REMOTE_REPO}"
          if [[ ! -f .env ]]; then
            echo "Missing ${REMOTE_REPO}/.env on server — bootstrap with deploy/sync-admin.sh first." >&2
            exit 1
          fi
          DC='sudo docker compose -f deploy/docker-compose.admin.yml --env-file .env'
          \${DC} build api
          \${DC} up -d --no-deps api
          \${DC} ps api
          REMOTE