---
kind: pipeline
type: docker
name: build-and-deploy

workspace:
  base: /woodpecker
  path: src

clone:
  depth: 50

volumes:
  - name: docker-sock
    host:
      path: /var/run/docker.sock

steps:
  - name: build-and-push
    image: docker:24.0-cli
    privileged: true
    volumes:
      - name: docker-sock
        path: /var/run/docker.sock
    commands:
      - set -eu
      - REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo
      - TAG=$(echo "$CI_COMMIT_SHA" | head -c 8)
      - docker buildx create --use --name woodpecker || true
      - for svc in server1 server2 server3 nginx; do docker buildx build -f Dockerfile.${svc} -t ${REG}/${svc}:${TAG} --push .; done
    when:
      event: [push, manual]
      branch: [master]

  - name: ssh-deploy
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -c
      - >
        set -euo pipefail;

        mkdir -p ~/.ssh;

        gcloud secrets versions access latest --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts;
        chmod 644 ~/.ssh/known_hosts;

        gcloud secrets versions access latest --secret=STAGING_SSH_KEY --project=aptivaai-dev | base64 -d > ~/.ssh/id_ed25519;
        chmod 600 ~/.ssh/id_ed25519;
        echo "🔑  SSH prerequisites installed";

        IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev | tr -d '\n');
        echo "📦  IMG_TAG=${IMG_TAG}";

        ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 jcoakley@10.128.0.12 \
        "set -euo pipefail; \
         export IMG_TAG=${IMG_TAG}; \
         cd /home/jcoakley/aptiva-staging-app; \
         echo 'Pulling containers for tag ${IMG_TAG}'; \
         docker compose pull; \
         echo 'Re-creating services'; \
         docker compose up -d --force-recreate --remove-orphans; \
         echo '✅  Staging stack refreshed with tag ${IMG_TAG}'"
    secrets:
      - STAGING_SSH_KEY
      - STAGING_KNOWN_HOSTS
    when:
      event:
        - push