name: Deploy Stack

on:
  workflow_call:
    inputs:
      extra_vars:
        required: false
        type: string
        description: "JSON string of extra variables to pass to Ansible"

jobs:
  deploy:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - name: Validate required secrets
        run: |
          if [ -z "${{ secrets.STAF_SSH_PRIVATE_KEY_BASE64 }}" ]; then
            echo "❌ STAF_SSH_PRIVATE_KEY_BASE64 secret is required"
            exit 1
          fi
          if [ -z "${{ secrets.STAF_HOST }}" ]; then
            echo "❌ STAF_HOST secret is required"
            exit 1
          fi
          if [ -z "${{ secrets.STAF_ANSIBLE_USER }}" ]; then
            echo "❌ STAF_ANSIBLE_USER secret is required"
            exit 1
          fi
          if [ -z "${{ secrets.ORG_GITEA_TOKEN }}" ]; then
            echo "❌ ORG_GITEA_TOKEN secret is required"
            exit 1
          fi
          if [ -z "${{ secrets.STAF_PUID }}" ]; then
            echo "❌ STAF_PUID secret is required"
            exit 1
          fi
          if [ -z "${{ secrets.STAF_PGID }}" ]; then
            echo "❌ STAF_PGID secret is required"
            exit 1
          fi
          if [ -z "${{ secrets.STAF_TIMEZONE }}" ]; then
            echo "❌ STAF_TIMEZONE secret is required"
            exit 1
          fi
          if [ -z "${{ secrets.STAF_APPDATA_ROOT }}" ]; then
            echo "❌ STAF_APPDATA_ROOT secret is required"
            exit 1
          fi

      - name: Checkout stack repository
        uses: actions/checkout@v4

      - name: Checkout shared ansible
        uses: actions/checkout@v4
        with:
          repository: ${{ github.event.repository.owner.login }}/ansible-shared
          path: ansible-shared
          token: ${{ secrets.ORG_GITEA_TOKEN }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
          # cache: "pip"

      - name: Install dependencies
        run: |
          pip install ansible docker

      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          printf "%s" "${{ secrets.SKYLAB_SSH_PRIVATE_KEY_BASE64 }}" | base64 -d > ~/.ssh/skylab
          chmod 600 ~/.ssh/skylab
          eval $(ssh-agent -s)
          ssh-add ~/.ssh/ssh_key

      - name: Deploy stack with Ansible
        run: |
          cd ansible-shared
          EXTRA_VARS_FLAG=""
          if [ -n "${{ inputs.extra_vars }}" ]; then
            EXTRA_VARS_FLAG="--extra-vars '${{ inputs.extra_vars }}'"
          fi
          if ! eval "ansible-playbook -i inventory.ini deploy-compose-stack.yml $EXTRA_VARS_FLAG"; then
            echo "❌ Ansible playbook execution failed"
            exit 1
          fi
        env:
          ANSIBLE_HOST_KEY_CHECKING: False
          STACK_NAME: ${{ github.event.repository.name }}
          REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git
          STAF_HOST: ${{ secrets.STAF_HOST }}
          STAF_ANSIBLE_USER: ${{ secrets.STAF_ANSIBLE_USER }}
          STAF_PUID: ${{ secrets.STAF_PUID }}
          STAF_PGID: ${{ secrets.STAF_PGID }}
          STAF_TZ: ${{ secrets.STAF_TIMEZONE }}
          STAF_APPDATA_ROOT: ${{ secrets.STAF_APPDATA_ROOT }}

      - name: Notify deployment status
        if: always()
        run: |
          if [ "${{ job.status }}" == "success" ]; then
            echo "✅ Stack ${{ github.event.repository.name }} deployed successfully"
          else
            echo "❌ Stack ${{ github.event.repository.name }} deployment failed"
          fi

      - name: Cleanup SSH key
        if: always()
        run: |
          rm -f ~/.ssh/ssh_key