name: deploy

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - uses: actions/checkout@v4

      - name: Install kubectl
        uses: azure/setup-kubectl@v4
        with:
          version: latest

      - name: Configure kubectl from secret
        run: |
          mkdir -p "$HOME/.kube"
          echo "${{ secrets.KUBECONFIG_B64 }}" | base64 -d > "$HOME/.kube/config"
          chmod 600 "$HOME/.kube/config"
          kubectl config current-context

      # __PUBLIC_IP__ placeholder in jvb manifest needs the actual public
      # IP of darkember. Inject from a repo secret so the manifest stays
      # generic in git.
      - name: Patch JVB public IP
        run: |
          test -n "${{ secrets.DARKEMBER_PUBLIC_IP }}" || (echo "secret DARKEMBER_PUBLIC_IP missing" && exit 1)
          sed -i "s|__PUBLIC_IP__|${{ secrets.DARKEMBER_PUBLIC_IP }}|g" infra/k3s/60-jvb.yaml

      - name: Apply manifests
        # 20-secrets.yaml is intentionally NOT applied — secret must be
        # created out-of-band (see scripts/generate-secrets.sh) so we
        # don't overwrite real values with placeholders.
        run: |
          kubectl apply -f infra/k3s/00-namespace.yaml
          kubectl apply -f infra/k3s/10-config.yaml
          kubectl apply -f infra/k3s/30-prosody.yaml
          kubectl apply -f infra/k3s/40-jicofo.yaml
          kubectl apply -f infra/k3s/50-web.yaml
          kubectl apply -f infra/k3s/60-jvb.yaml
          kubectl apply -f infra/k3s/70-ingress.yaml

      # ConfigMap-only changes don't restart pods on their own, so a
      # deploy that just edits 10-config.yaml would otherwise leave the
      # pods running the old env vars. Force a rollout to pick the new
      # values up — no-op when no spec drift, fast when there is.
      - name: Roll pods to pick up ConfigMap drift
        run: kubectl -n jitsi rollout restart deployment

      - name: Wait for rollout
        run: |
          kubectl -n jitsi rollout status deployment/prosody --timeout=3m
          kubectl -n jitsi rollout status deployment/jicofo --timeout=3m
          kubectl -n jitsi rollout status deployment/jitsi-web --timeout=3m
          kubectl -n jitsi rollout status deployment/jvb --timeout=3m

      - name: Smoke-check
        run: |
          for i in 1 2 3 4 5; do
            if curl -fsS -o /dev/null -w "%{http_code}\n" https://meet.it.financeflow.de/ | grep -q "200\|301\|302"; then
              echo "meet.it.financeflow.de is up"
              exit 0
            fi
            sleep 5
          done
          echo "smoke-check failed"
          exit 1