#!/usr/bin/env bash
set -Eeuo pipefail

# Required env vars:
#   SSH_KEY      -> private SSH key content
#   SSH_USER     -> remote SSH user
#   SSH_IP       -> remote host/IP
#   GIT_USER     -> Gitea username
#   GIT_TOKEN    -> Gitea personal access token
#
# Optional env vars:
#   APP_DIR      -> remote app directory
#   GIT_HOST     -> git.jakach.ch
#   GIT_REPO     -> Jakach/your-repo.git
#   GIT_BRANCH   -> main

: "${SSH_KEY:?SSH_KEY is required}"
: "${SSH_USER:?SSH_USER is required}"
: "${SSH_IP:?SSH_IP is required}"
: "${GIT_USER:?GIT_USER is required}"
: "${GIT_TOKEN:?GIT_TOKEN is required}"

APP_DIR="/srv/systems/jakach-login"
GIT_HOST="${GIT_HOST:-git.jakach.ch}"
GIT_REPO="${GIT_REPO:-Jakach/jakach-login.git}"
GIT_BRANCH="${GIT_BRANCH:-main}"

mkdir -p ~/.ssh
chmod 700 ~/.ssh

# Write SSH key
printf '%s\n' "$SSH_KEY" | tr -d '\r' > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key

# Trust remote host
ssh-keyscan -H "$SSH_IP" >> ~/.ssh/known_hosts 2>/dev/null || true

ssh -i ~/.ssh/deploy_key \
  -o StrictHostKeyChecking=yes \
  -o IdentitiesOnly=yes \
  "$SSH_USER@$SSH_IP" \
  "export APP_DIR='$APP_DIR' GIT_HOST='$GIT_HOST' GIT_REPO='$GIT_REPO' GIT_BRANCH='$GIT_BRANCH' GIT_USER='$GIT_USER' GIT_TOKEN='$GIT_TOKEN'; bash -s" <<'REMOTE'
set -Eeuo pipefail

: "${APP_DIR:?}"
: "${GIT_HOST:?}"
: "${GIT_REPO:?}"
: "${GIT_BRANCH:?}"
: "${GIT_USER:?}"
: "${GIT_TOKEN:?}"

cd "$APP_DIR"

# Ensure origin uses HTTPS with token auth
git remote set-url origin "https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"

git fetch origin "$GIT_BRANCH"
git checkout "$GIT_BRANCH"
git pull origin "$GIT_BRANCH"

docker compose down
docker compose up -d --build
REMOTE