name: deploy-authentik

on:
  push:
    branches: [ main ]

jobs:
  #───────────────── deploy ─────────────────
  deploy:
    runs-on: docker
    env:
      PG_PASS: ${{ secrets.PG_PASS }}
      PG_USER: ${{ vars.PG_USER }}
      PG_DB: ${{ vars.PG_DB }}
      AUTHENTIK_SECRET_KEY: ${{ secrets.AUTHENTIK_SECRET_KEY }}
      AUTHENTIK_ERROR_REPORTING__ENABLED: ${{ vars.AUTHENTIK_ERROR_REPORTING__ENABLED }}
      AUTHENTIK_IMAGE: ${{ vars.AUTHENTIK_IMAGE }}
      AUTHENTIK_TAG: ${{ vars.AUTHENTIK_TAG }}
      COMPOSE_PORT_HTTP: ${{ vars.COMPOSE_PORT_HTTP }}
      COMPOSE_PORT_HTTPS: ${{ vars.COMPOSE_PORT_HTTPS }}
    steps:
      - uses: actions/checkout@v3

      - name: Create .env file from secrets
        run: |
          cat > .env << EOF
          PG_PASS=${{ secrets.PG_PASS }}
          PG_USER=${{ vars.PG_USER }}
          PG_DB=${{ vars.PG_DB }}
          AUTHENTIK_SECRET_KEY=${{ secrets.AUTHENTIK_SECRET_KEY }}
          AUTHENTIK_ERROR_REPORTING__ENABLED=${{ vars.AUTHENTIK_ERROR_REPORTING__ENABLED }}
          AUTHENTIK_IMAGE=${{ vars.AUTHENTIK_IMAGE }}
          AUTHENTIK_TAG=${{ vars.AUTHENTIK_TAG }}
          COMPOSE_PORT_HTTP=${{ vars.COMPOSE_PORT_HTTP }}
          COMPOSE_PORT_HTTPS=${{ vars.COMPOSE_PORT_HTTPS }}
          EOF

      - name: Ensure external docker network exists
        run: |
          docker network inspect principal >/dev/null 2>&1 || docker network create principal

      - name: Stop existing Authentik stack
        run: docker compose -f docker-compose.yml --project-name authentik down || true

      - name: Pull latest images
        run: docker compose -f docker-compose.yml pull

      - name: Start Authentik stack
        run: docker compose -f docker-compose.yml --project-name authentik up -d --remove-orphans

      - name: Wait for services to be healthy
        run: |
          echo "Waiting for PostgreSQL..."
          timeout 60 bash -c 'until docker compose -f docker-compose.yml --project-name authentik exec -T postgresql pg_isready -U authentik; do sleep 2; done' || echo "PostgreSQL health check timed out"

          echo "Waiting for Redis..."
          timeout 60 bash -c 'until docker compose -f docker-compose.yml --project-name authentik exec -T redis redis-cli ping | grep PONG; do sleep 2; done' || echo "Redis health check timed out"

      - name: Show service status
        run: docker compose -f docker-compose.yml --project-name authentik ps

      - name: Show recent logs
        run: docker compose -f docker-compose.yml --project-name authentik logs --tail=50

      - name: Inspect published ports
        run: |
          echo "=== Server container ports ==="
          CID=$(docker compose -f docker-compose.yml --project-name authentik ps -q server)
          echo "Container: $CID"
          docker inspect "$CID" --format '{{json .NetworkSettings.Ports}}' || true
          docker port "$CID" || true

      - name: Test HTTP endpoint
        run: |
          echo "Testing HTTP endpoint..."
          sleep 10
          curl -f http://localhost:9000 || echo "HTTP endpoint not ready yet"