name: Deploy Environment Monitoring to Production Environment

on:
  push:
    branches:
      - prod-env
    paths:
      - 'Environment_Monitoring/**'

concurrency:
  group: prod-monitoring-deploy
  cancel-in-progress: false

jobs:
  deploy:
    runs-on: prod-runner
    steps:
      - name: Checkout Branch
        uses: actions/checkout@v4

      - name: Connect Runner to Overlay Network
        run: |
          docker network connect iklimco-net $(hostname) || true

      - name: Install Required Tools
        run: |
          sudo sed -i 's|http://archive.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' /etc/apt/sources.list.d/ubuntu.sources || true
          sudo sed -i 's|http://archive.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' /etc/apt/sources.list || true
          sudo sed -i 's|http://security.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' /etc/apt/sources.list.d/ubuntu.sources || true
          sudo sed -i 's|http://security.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' /etc/apt/sources.list || true
          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
          sudo rm -f /etc/apt/sources.list.d/git-core-ubuntu-ppa*.list
          sudo rm -f /etc/apt/sources.list.d/github_git-lfs.list
          sudo apt-get update
          sudo apt-get install -y gettext jq

      - name: Set up SSH Key and Add to known_hosts
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.STORAGEBOX_SSH_PRIV }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -p 23 ${{ vars.STORAGEBOX_USER }}.your-storagebox.de >> ~/.ssh/known_hosts

      - name: Download Deploy Inputs
        run: |
          rm -f .env .env.secrets.swag
          scp -P 23 ${{ vars.STORAGEBOX_USER }}@${{ vars.STORAGEBOX_USER }}.your-storagebox.de:prod/secrets/iklim.co/.env ./.env
          scp -P 23 ${{ vars.STORAGEBOX_USER }}@${{ vars.STORAGEBOX_USER }}.your-storagebox.de:prod/secrets/iklim.co/.env.secrets.swag ./.env.secrets.swag
          test -s .env
          test -s .env.secrets.swag

      - name: Deploy Monitoring Stack
        run: |
          set -a; . ./.env; set +a
          export IMAGE_LOKI="${IMAGE_LOKI}"
          export IMAGE_PROMTAIL="${IMAGE_PROMTAIL}"

          # Remove leftover dozzle_users Docker secret from previous setup
          docker secret rm dozzle_users 2>/dev/null || true

          docker stack deploy \
            --with-registry-auth \
            --resolve-image changed \
            -c Environment_Monitoring/docker-stack-monitoring.yml \
            iklimco-monitoring

      - name: Wait for Loki
        run: |
          for i in $(seq 1 36); do
            REPLICAS=$(docker service ls --filter name=iklimco-monitoring_loki --format "{{.Replicas}}" | head -1)
            if echo "$REPLICAS" | awk -F'[/ ]' '$1>0 && $1==$2{found=1} END{exit !found}'; then
              echo "Loki is ready: $REPLICAS"
              exit 0
            fi
            echo "Loki not ready yet (${REPLICAS:-missing}), waiting 5s..."
            sleep 5
          done
          docker service ps iklimco-monitoring_loki || true
          exit 1

      - name: Configure SWAG Reverse Proxy
        run: |
          set -a; . ./.env; . ./.env.secrets.swag; set +a
          export PORTAINER_SUBDOMAIN="${PORTAINER_SUBDOMAIN:-portainer.iklim.co}"
          export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*|        allow &;|')"

          SWAG_VARS='${PORTAINER_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}'
          for tpl in Environment_Monitoring/swag/site-confs/*.conf.tpl; do
            fname=$(basename "${tpl%.tpl}")
            envsubst "$SWAG_VARS" < "$tpl" | docker run --rm -i \
              -v "${SWAG_SITE_CONFS_DIR}:/output" \
              alpine sh -c "cat > /output/${fname}"
            echo "${fname} written"
          done

          SWAG_CTR=$(docker ps -q -f name=iklimco_swag 2>/dev/null | head -1)
          if [ -n "$SWAG_CTR" ]; then
            docker exec "$SWAG_CTR" nginx -t && docker exec "$SWAG_CTR" nginx -s reload
          fi

      - name: Update DNS Records
        run: |
          set -a; . ./.env; . ./.env.secrets.swag; set +a
          FLOATING_IP="${{ vars.PROD_FLOATING_IP }}"
          DOMAIN="iklim.co"

          for record in portainer; do
            CURRENT=$(curl -s \
              -H "Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}" \
              "https://api.godaddy.com/v1/domains/${DOMAIN}/records/A/${record}" \
              2>/dev/null | jq -r '.[0].data // empty' 2>/dev/null || true)

            if [ "$CURRENT" = "$FLOATING_IP" ]; then
              echo "${record}.${DOMAIN} -> ${FLOATING_IP} exists, skipping"
            else
              curl -sf -X PUT \
                -H "Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}" \
                -H "Content-Type: application/json" \
                "https://api.godaddy.com/v1/domains/${DOMAIN}/records/A/${record}" \
                -d "[{\"data\":\"${FLOATING_IP}\",\"ttl\":600}]"
              echo "${record}.${DOMAIN} -> ${FLOATING_IP} added/updated"
            fi
          done

      - name: Verify Deployment
        run: |
          docker service ps iklimco-monitoring_loki \
            --filter "desired-state=running" \
            --format "table {{.Name}}\t{{.Node}}\t{{.CurrentState}}\t{{.Image}}" | head -20