# ──────────────────────────────────────────────────────────────────────────────
# CrowdSec Admin — Gitea Actions CI/CD
#
# Triggers on push to main. Runner builds image + brings stack up via docker
# compose on the host. Image stays local (no registry push), same pattern as
# flight-radar.
#
# PREREQUISITES (one-time):
#   1. Host LAPI machine registered (for DELETE auth):
#        sudo cscli machines add crowdsec-admin --password '<PW>' -f -
#   2. Host LAPI bouncer registered (for GET auth):
#        sudo cscli bouncers add crowdsec-admin
#   3. Repo secrets set in Gitea → Settings → Secrets:
#        LAPI_MACHINE_ID=crowdsec-admin
#        LAPI_MACHINE_PASSWORD=<PW>
#        LAPI_BOUNCER_KEY=<bouncer key from step 2>
#   4. DNS: crowdsec.domverse-berlin.eu → host IP.
#   5. Authentik wildcard forward_domain already covers *.domverse-berlin.eu.
# ──────────────────────────────────────────────────────────────────────────────

name: Deploy

on:
  push:
    branches:
      - main
  workflow_dispatch:

env:
  COMPOSE_PROJECT: crowdsec-admin
  COMPOSE_FILE: docker-compose.yml

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Write .env for compose
        run: |
          cat > .env <<EOF
          LAPI_MACHINE_ID=${{ secrets.LAPI_MACHINE_ID }}
          LAPI_MACHINE_PASSWORD=${{ secrets.LAPI_MACHINE_PASSWORD }}
          LAPI_BOUNCER_KEY=${{ secrets.LAPI_BOUNCER_KEY }}
          EOF
          chmod 600 .env

      - name: Deploy with docker compose
        run: |
          echo "=== Deploying commit ${{ gitea.sha }} to ${{ gitea.ref_name }} ==="
          docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" up --build -d --remove-orphans

      - name: Show health
        run: |
          sleep 3
          docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" ps
          docker exec "$COMPOSE_PROJECT" python -c "import urllib.request; print(urllib.request.urlopen('http://127.0.0.1:8000/healthz', timeout=3).read().decode())" || true

      - name: Prune dangling images
        run: docker image prune -f