name: Deploy to racknerd2

# Manual-only. Pulls the pre-built images from the registry onto racknerd2
# (validation host) over the NetBird mesh and restarts the stack. Build the
# images first with the "Build & Push Images" workflow.
#
# Requirements (see deploy/README.md):
#   - Forgejo Actions secret RACKNERD2_SSH_KEY: private key authorized for
#     root@racknerd2 (mesh IP 100.96.217.250).
#   - racknerd2 already prepared: Docker installed, logged in to the registry,
#     and /opt/archnest/{docker-compose.yml,.env} in place.

on:
  workflow_dispatch:
    inputs:
      tag:
        description: "Image tag to deploy (commit SHA or 'latest')"
        required: true
        default: latest

env:
  DEPLOY_HOST: 100.96.217.250
  DEPLOY_DIR: /opt/archnest

jobs:
  deploy:
    runs-on: docker
    steps:
      - name: Install SSH client
        run: |
          apt-get update
          apt-get install -y --no-install-recommends openssh-client

      - name: Write deploy key
        run: |
          install -m 700 -d ~/.ssh
          printf '%s\n' "${{ secrets.RACKNERD2_SSH_KEY }}" > ~/.ssh/id_deploy
          chmod 600 ~/.ssh/id_deploy

      - name: Pull images and restart stack
        run: |
          ssh -i ~/.ssh/id_deploy -o StrictHostKeyChecking=accept-new \
            root@"$DEPLOY_HOST" \
            "cd $DEPLOY_DIR && ARCHNEST_TAG='${{ inputs.tag }}' docker compose pull && ARCHNEST_TAG='${{ inputs.tag }}' docker compose up -d --remove-orphans"

      - name: Health check (backend /api/health via mesh)
        run: |
          ssh -i ~/.ssh/id_deploy -o StrictHostKeyChecking=accept-new \
            root@"$DEPLOY_HOST" \
            "for i in \$(seq 1 30); do curl -fsS http://$DEPLOY_HOST:8080/api/health && echo OK && exit 0; sleep 2; done; echo 'health check failed'; cd $DEPLOY_DIR && docker compose logs --tail=50; exit 1"