name: Kubeadm Bootstrap
run-name: ${{ gitea.actor }} requested kubeadm bootstrap

on:
  workflow_dispatch:
    inputs:
      confirm:
        description: "Type BOOTSTRAP to run rebuild + kubeadm bootstrap"
        required: true
        type: string

concurrency:
  group: kubeadm-bootstrap
  cancel-in-progress: false

jobs:
  bootstrap:
    name: "Rebuild and Bootstrap Cluster"
    runs-on: ubuntu-latest

    steps:
      - name: Validate confirmation phrase
        run: |
          if [ "${{ inputs.confirm }}" != "BOOTSTRAP" ]; then
            echo "Confirmation failed. You must type BOOTSTRAP."
            exit 1
          fi

      - name: Checkout repository
        uses: https://gitea.com/actions/checkout@v4

      - name: Create SSH key
        run: |
          install -m 0700 -d ~/.ssh
          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
          if [ -z "$KEY_CONTENT" ]; then
            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
          fi

          if [ -z "$KEY_CONTENT" ]; then
            echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
            exit 1
          fi

          printf '%s\n' "$KEY_CONTENT" > ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519

      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.6.6
          terraform_wrapper: false

      - name: Build Terraform backend files
        working-directory: terraform
        run: |
          cat > secrets.auto.tfvars << EOF
          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
          SSH_KEY_PUBLIC      = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
          EOF

          cat > backend.hcl << EOF
          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
          key                         = "terraform.tfstate"
          region                      = "us-east-005"
          endpoints = {
            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
          }
          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
          skip_credentials_validation = true
          skip_metadata_api_check     = true
          skip_region_validation      = true
          skip_requesting_account_id  = true
          use_path_style              = true
          EOF

      - name: Terraform init for state read
        working-directory: terraform
        run: terraform init -reconfigure -backend-config=backend.hcl

      - name: Create kubeadm inventory
        run: |
          TF_OUTPUT_JSON="$(terraform -chdir=terraform output -json)"

          CP_1="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["control_plane_vm_ipv4"]["value"]["cp-1"])' <<< "$TF_OUTPUT_JSON")"
          CP_2="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["control_plane_vm_ipv4"]["value"]["cp-2"])' <<< "$TF_OUTPUT_JSON")"
          CP_3="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["control_plane_vm_ipv4"]["value"]["cp-3"])' <<< "$TF_OUTPUT_JSON")"
          WK_1="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["worker_vm_ipv4"]["value"]["wk-1"])' <<< "$TF_OUTPUT_JSON")"
          WK_2="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["worker_vm_ipv4"]["value"]["wk-2"])' <<< "$TF_OUTPUT_JSON")"
          WK_3="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["worker_vm_ipv4"]["value"]["wk-3"])' <<< "$TF_OUTPUT_JSON")"

          SSH_USER="$(printf '%s' "${{ secrets.KUBEADM_SSH_USER }}")"
          if [ -z "$SSH_USER" ]; then
            SSH_USER="micqdf"
          fi

          cat > nixos/kubeadm/scripts/inventory.env << EOF
          SSH_USER=$SSH_USER
          CP_1=$CP_1
          CP_2=$CP_2
          CP_3=$CP_3
          WK_1=$WK_1
          WK_2=$WK_2
          WK_3=$WK_3
          EOF

      - name: Validate nix installation
        run: |
          if [ -x /nix/var/nix/profiles/default/bin/nix ]; then
            /nix/var/nix/profiles/default/bin/nix --version
            exit 0
          fi

          if command -v nix >/dev/null 2>&1; then
            nix --version
            exit 0
          fi

          echo "Nix missing; installing no-daemon Nix for this runner job"
          sh <(curl -L https://nixos.org/nix/install) --no-daemon

          if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
            . "$HOME/.nix-profile/etc/profile.d/nix.sh"
          fi

          nix --version

      - name: Install nixos-rebuild tool
        env:
          NIX_CONFIG: experimental-features = nix-command flakes
        run: |
          if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
            . "$HOME/.nix-profile/etc/profile.d/nix.sh"
          fi

          nix profile install nixpkgs#nixos-rebuild

      - name: Run cluster rebuild and bootstrap
        env:
          NIX_CONFIG: experimental-features = nix-command flakes
          PATH: $HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:${{ env.PATH }}
        run: |
          if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
            . "$HOME/.nix-profile/etc/profile.d/nix.sh"
          fi

          ./nixos/kubeadm/scripts/rebuild-and-bootstrap.sh