name: deploy-meshcentral

on:
  push:
    branches: [ main, master ]

jobs:
  deploy:
    runs-on: docker
    env:
      APP_NAME: ${{ vars.APP_NAME }}
      APP_DOMAIN: ${{ vars.APP_DOMAIN }}
      MESH_PORT: ${{ vars.MESH_PORT }}
      # Authentik OIDC configuration
      AUTHENTIK_ISSUER: ${{ vars.AUTHENTIK_ISSUER }}
      AUTHENTIK_CLIENT_ID: ${{ secrets.AUTHENTIK_CLIENT_ID }}
      AUTHENTIK_CLIENT_SECRET: ${{ secrets.AUTHENTIK_CLIENT_SECRET }}
    steps:
      - uses: actions/checkout@v3

      - name: Info about deployment
        run: |
          echo "ℹ️  Deploying MeshCentral"
          echo "   Domain: ${{ vars.APP_DOMAIN }}"
          echo "   Container: ${{ vars.APP_NAME }}"
          echo "   Network: principal"

      - name: Create required directories
        run: |
          mkdir -p meshcentral-data
          mkdir -p meshcentral-files
          mkdir -p meshcentral-backup
          mkdir -p meshcentral-config

      - name: Generate MeshCentral config.json
        run: |
          cat > meshcentral-data/config.json <<'EOF'
          {
            "settings": {
              "cert": "${{ vars.APP_DOMAIN }}",
              "port": 4430,
              "aliasPort": 443,
              "redirPort": 0,
              "AgentPong": 300,
              "TlsOffload": "127.0.0.1",
              "SelfUpdate": false,
              "AllowFraming": false,
              "WebRTC": true,
              "ClickOnce": false,
              "AllowHighQualityDesktop": true,
              "DesktopAspectRatios": "1.33,1.5,1.6,1.7,1.778,2.0"
            },
            "domains": {
              "": {
                "title": "MeshCentral - Nucleo Rio Frio",
                "title2": "Remote Management Platform",
                "newAccounts": false,
                "certUrl": "https://${{ vars.APP_DOMAIN }}:443/",
                "geoLocation": true,
                "cookieIpCheck": false,
                "allowLoginToken": true,
                "allowFraming": false,
                "authStrategies": {
                  "authentik": {
                    "issuer": "${{ vars.AUTHENTIK_ISSUER }}",
                    "clientid": "${{ secrets.AUTHENTIK_CLIENT_ID }}",
                    "clientsecret": "${{ secrets.AUTHENTIK_CLIENT_SECRET }}",
                    "callbackurl": "https://${{ vars.APP_DOMAIN }}/auth-oidc-callback"
                  }
                },
                "passwordRequirements": {
                  "min": 8,
                  "max": 128,
                  "upper": 1,
                  "lower": 1,
                  "numeric": 1,
                  "nonalpha": 1
                },
                "agentInviteCodes": false,
                "userNameIsEmail": false
              }
            }
          }
          EOF

      - name: Set correct permissions
        run: |
          chmod -R 755 meshcentral-data
          chmod -R 755 meshcentral-files
          chmod -R 755 meshcentral-backup
          chmod -R 755 meshcentral-config

      - name: Pull latest MeshCentral image
        run: docker pull ghcr.io/ylianst/meshcentral:latest

      - name: Clean up existing stack
        run: docker compose --project-name $APP_NAME down || true

      - name: Start MeshCentral stack
        run: docker compose --project-name $APP_NAME up -d --remove-orphans --wait

      - name: Wait for MeshCentral to be ready
        run: |
          echo "⏳ Waiting for MeshCentral to start..."
          sleep 10
          docker logs ${APP_NAME}

      - name: Deployment complete
        run: |
          echo "✅ MeshCentral deployed successfully"
          echo "   Access at: https://${{ vars.APP_DOMAIN }}"