name: Terraform Apply

on:
  push:
    branches:
      - master

concurrency:
  group: terraform-global
  cancel-in-progress: false

jobs:
  terraform:
    name: "Terraform Apply"
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: https://gitea.com/actions/checkout@v4

      - name: Create secrets.tfvars
        working-directory: terraform
        run: |
          cat > secrets.auto.tfvars << EOF
          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
          SSH_KEY_PUBLIC      = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
          EOF
          cat > backend.hcl << EOF
          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
          key                         = "terraform.tfstate"
          region                      = "us-east-005"
          endpoints = {
            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
          }
          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
          skip_credentials_validation = true
          skip_metadata_api_check     = true
          skip_region_validation      = true
          skip_requesting_account_id  = true
          use_path_style              = true
          EOF

      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.6.6
          terraform_wrapper: false

      - name: Terraform Init
        working-directory: terraform
        run: terraform init -reconfigure -backend-config=backend.hcl

      - name: Terraform Plan
        working-directory: terraform
        run: terraform plan -out=tfplan

      - name: Block accidental destroy
        env:
          ALLOW_TF_DESTROY: ${{ secrets.ALLOW_TF_DESTROY }}
        working-directory: terraform
        run: |
          terraform show -json -no-color tfplan > tfplan.json
          DESTROY_COUNT=$(python3 -c 'import json; raw=open("tfplan.json","rb").read().decode("utf-8","ignore"); start=raw.find("{"); data=json.JSONDecoder().raw_decode(raw[start:])[0]; print(sum(1 for rc in data.get("resource_changes", []) if "delete" in rc.get("change", {}).get("actions", [])))')
          echo "Planned deletes: $DESTROY_COUNT"
          if [ "$DESTROY_COUNT" -gt 0 ] && [ "${ALLOW_TF_DESTROY}" != "true" ]; then
            echo "Destroy actions detected. Set ALLOW_TF_DESTROY=true to allow."
            exit 1
          fi

      - name: Terraform Apply
        working-directory: terraform
        run: terraform apply -auto-approve tfplan

      - name: Create SSH key
        run: |
          install -m 0700 -d ~/.ssh
          KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")"
          if [ -z "$KEY_CONTENT" ]; then
            KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")"
          fi

          if [ -z "$KEY_CONTENT" ]; then
            echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE."
            exit 1
          fi

          printf '%s\n' "$KEY_CONTENT" > ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519

      - name: Create kubeadm inventory from Terraform outputs
        run: |
          TF_OUTPUT_JSON="$(terraform -chdir=terraform output -json)"

          CP_1="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["control_plane_vm_ipv4"]["value"]["cp-1"])' <<< "$TF_OUTPUT_JSON")"
          CP_2="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["control_plane_vm_ipv4"]["value"]["cp-2"])' <<< "$TF_OUTPUT_JSON")"
          CP_3="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["control_plane_vm_ipv4"]["value"]["cp-3"])' <<< "$TF_OUTPUT_JSON")"
          WK_1="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["worker_vm_ipv4"]["value"]["wk-1"])' <<< "$TF_OUTPUT_JSON")"
          WK_2="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["worker_vm_ipv4"]["value"]["wk-2"])' <<< "$TF_OUTPUT_JSON")"
          WK_3="$(python3 -c 'import json,sys; d=json.loads(sys.stdin.read()); print(d["worker_vm_ipv4"]["value"]["wk-3"])' <<< "$TF_OUTPUT_JSON")"

          SSH_USER="$(printf '%s' "${{ secrets.KUBEADM_SSH_USER }}")"
          if [ -z "$SSH_USER" ]; then
            SSH_USER="micqdf"
          fi

          cat > nixos/kubeadm/scripts/inventory.env << EOF
          SSH_USER=$SSH_USER
          CP_1=$CP_1
          CP_2=$CP_2
          CP_3=$CP_3
          WK_1=$WK_1
          WK_2=$WK_2
          WK_3=$WK_3
          EOF

      - name: Ensure nix and nixos-rebuild
        env:
          NIX_CONFIG: experimental-features = nix-command flakes
        run: |
          if [ ! -x /nix/var/nix/profiles/default/bin/nix ] && ! command -v nix >/dev/null 2>&1; then
            sh <(curl -L https://nixos.org/nix/install) --no-daemon
          fi

          if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
            . "$HOME/.nix-profile/etc/profile.d/nix.sh"
          fi

          nix --version
          nix profile install nixpkgs#nixos-rebuild

      - name: Rebuild and bootstrap/reconcile kubeadm cluster
        env:
          NIX_CONFIG: experimental-features = nix-command flakes
          PATH: $HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:${{ env.PATH }}
        run: |
          if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
            . "$HOME/.nix-profile/etc/profile.d/nix.sh"
          fi

          ./nixos/kubeadm/scripts/rebuild-and-bootstrap.sh