# ───────────────────────── config ─────────────────────────
#!/usr/bin/env bash
set -euo pipefail                 # fail fast, surfacing missing vars

# Accept priority: 1) CLI arg  2) exported variable  3) default 'dev'
ENV="${1:-${ENV:-dev}}"

case "$ENV" in dev|staging|prod) ;;                 # sanity guard
  *) echo "❌  Unknown ENV='$ENV'"; exit 1 ;;
esac

PROJECT="aptivaai-${ENV}"         # adjust if prod lives elsewhere
REG="us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo"
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ENV_FILE="${ROOT}/.env"

echo "🔧  Deploying environment: $ENV  (GCP: $PROJECT)"


SECRETS=(
  JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
  STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET \
  STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR \
  STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR \
  DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD \
  DB_SSL_CERT DB_SSL_KEY DB_SSL_CA \
  TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID \
  KMS_KEY_NAME DEK_PATH
)

cd "$ROOT"
echo "🛠  Building front‑end bundle"
npm ci --silent
npm run build

# ───────────────────── build & push images ─────────────────────
TAG="$(git rev-parse --short HEAD)-$(date -u +%Y%m%d%H%M)"
echo "🔨  Building & pushing containers (tag = ${TAG})"
for svc in server1 server2 server3 nginx; do
  docker build -f "Dockerfile.${svc}" -t "${REG}/${svc}:${TAG}" .
  docker push  "${REG}/${svc}:${TAG}"
done

if grep -q '^IMG_TAG=' "$ENV_FILE"; then
  sed -i "s/^IMG_TAG=.*/IMG_TAG=${TAG}/" "$ENV_FILE"
else
  echo "IMG_TAG=${TAG}" >> "$ENV_FILE"
fi
echo "✅  .env updated with IMG_TAG=${TAG}"

# ─────────────────────────────────────────────────────────────
# 1a. Publish IMG_TAG to Secret Manager (single source of truth)
# ─────────────────────────────────────────────────────────────
printf "%s" "${TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="$PROJECT"

echo "📦  IMG_TAG pushed to Secret Manager (no suffix)"

# ───────────────────── pull secrets (incl. KMS key path) ───────
echo "🔐  Pulling secrets from Secret Manager"
for S in "${SECRETS[@]}"; do
  export "$S"="$(gcloud secrets versions access latest \
                   --secret="${S}_${ENV}" --project="$PROJECT")"
done
export FROM_SECRETS_MANAGER=true

# ───────────────────── compose up ───────────────────────────────
preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}")
echo "🚀  docker compose up -d (env: $preserve)"
sudo --preserve-env="$preserve" docker compose up -d --force-recreate \
     2> >(grep -v 'WARN \[0000\]')

echo "✅  Deployment finished"