on:
  schedule:
    - cron: '0 9 * * 0' # every sunday 9 am
  push:
    branches:
      - main
  pull_request:
      branches:
      - main
jobs:
  continuous-deploy:
    runs-on: ["deploy", "kubectl", "limbosolutions-com"]
    env:
      GITHUB_TEMP: ${{ runner.temp }} # fix missing GITHUB_TEMP on gitea
    steps:

      - name: Checkout code
        uses: actions/checkout@v3

      - name: limbo public actions
        env: 
          WORKSPACE: "${{ gitea.workspace }}"
        run: |
          curl -fsSL https://git.limbosolutions.com/kb/gitea/raw/branch/main/cloud-scripts/setup-limbo-actions.sh | bash 2>&1


      # limbo custom actions required https://git.limbosolutions.com/kb/gitea/raw/branch/main
      - name: Configure kubectl config
        uses: ./.gitea/limbo_actions/kubectl-setup
        with:
          kube_server: ${{ secrets.HOSTING_KUBE_SERVER }}
          kube_ca_base64: ${{ secrets.HOSTING_KUBE_CA_BASE64 }}
          kube_token: ${{ secrets.HOSTING_KUBE_TOKEN }}

      - name: Deploy
        shell: bash
        env:
          # used by kustomization requires env files
          MARIADB_USER: ${{ secrets.MARIADB_USER }}
          MARIADB_PASSWORD: ${{ secrets.MARIADB_PASSWORD }}
          MARIADB_ROOT_PASSWORD: ${{ secrets.MARIADB_ROOT_PASSWORD }}
          MARIADB_DATABASE: ${{ secrets.MARIADB_DATABASE }}
          PBS_REPOSITORY: ${{ secrets.PBS_REPOSITORY }}
          PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }}
          PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }}
          ONLYOFFICE_SECRET:  ${{ secrets.ONLYOFFICE_SECRET }}
          WHITEBOARD_JWT_SECRET_KEY: ${{ secrets.WHITEBOARD_JWT_SECRET_KEY }}

          # used only on helm set values - only required as environment variables
          NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }}
          NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }}
          NEXTCLOUD_PASSWORD: ${{ secrets.NEXTCLOUD_PASSWORD }}
          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}

        run: |
          set -euo pipefail

          # ensure cleanup always runs
          trap '
          [ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*;
          [ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*;
          [ -d deploy/app/whiteboard/.env.d ] && rm -rf deploy/app/whiteboard/.env.d/*;
          ' EXIT

          # setup secrets files

          echo "MARIADB_USER=${MARIADB_USER:?Missing MARIADB_USER}" >> deploy/app/.env.d/nextcloud-mariadb.env
          echo "MARIADB_PASSWORD=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
          echo "MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD:?Missing MARIADB_ROOT_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
          echo "MARIADB_DATABASE=${MARIADB_DATABASE:?Missing MARIADB_DATABASE}" >> deploy/app/.env.d/nextcloud-mariadb.env

          echo "PBS_REPOSITORY=${PBS_REPOSITORY:?Missing PBS_REPOSITORY}" >> deploy/app/.env.d/pbs.env
          echo "PBS_PASSWORD=${PBS_PASSWORD:?Missing PBS_PASSWORD}" >> deploy/app/.env.d/pbs.env
          echo "PBS_FINGERPRINT=${PBS_FINGERPRINT:?Missing PBS_FINGERPRINT}" >> deploy/app/.env.d/pbs.env

          echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env
          
          echo "JWT_SECRET_KEY=${WHITEBOARD_JWT_SECRET_KEY:?Missing WHITEBOARD_JWT_SECRET_KEY}" >> deploy/app/whiteboard/.env.d/whiteboard.env

          # enforce secrets files security
          chmod 600 deploy/app/.env.d/*
          chmod 600 deploy/app/onlyoffice/.env.d/*
          chmod 600 deploy/app/whiteboard/.env.d/*  

          echo "add nextcloud helm chart"
          helm repo add nextcloud https://nextcloud.github.io/helm

          echo "add bitnami helm chart"
          helm repo add bitnami https://charts.bitnami.com/bitnami


          # invoke deploy script
          ops-scripts/apply-app.sh