name: Deploy miriamgemeinde

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest

    env:
      SSH_HOST: ${{ vars.PROD_HOST }}
      SSH_PORT: ${{ vars.PROD_PORT }}
      SSH_USER: ${{ vars.PROD_USER }}

    steps:
      - name: Show resolved non-secret config
        run: |
          echo "SSH_HOST=$SSH_HOST"
          echo "SSH_PORT=$SSH_PORT"
          echo "SSH_USER=$SSH_USER"

      - name: Prepare SSH
        run: |
          set -e
          mkdir -p ~/.ssh
          printf '%s' "${{ secrets.PROD_SSH_KEY_B64 }}" | base64 -d > ~/.ssh/id_deploy
          chmod 600 ~/.ssh/id_deploy
          ssh-keygen -l -f ~/.ssh/id_deploy
          ssh-keyscan -p "$SSH_PORT" "$SSH_HOST" >> ~/.ssh/known_hosts

      - name: Test SSH connection
        run: |
          set -e
          ssh -i ~/.ssh/id_deploy \
            -o StrictHostKeyChecking=no \
            -o BatchMode=yes \
            -o ConnectTimeout=10 \
            -p "$SSH_PORT" \
            "$SSH_USER@$SSH_HOST" \
            "echo SSH OK"

      # If you need server-side preparation (e.g. ensure /var/... exists/permissions),
      # add it in the remote command before running the update script.
      - name: Run deployment script
        run: |
          set -e
          ssh -i ~/.ssh/id_deploy \
            -o StrictHostKeyChecking=no \
            -o BatchMode=yes \
            -o ConnectTimeout=10 \
            -p "$SSH_PORT" \
            "$SSH_USER@$SSH_HOST" \
            "bash -lc 'set -euo pipefail; TS=\$(date +\"%Y-%m-%d_%H%M%S\"); SRC=\"/var/www/miriamgemeinde/public/images\"; DEST_BASE=\"/home/torsten/miriamgemeinde/backup/\$TS\"; mkdir -p \"\$DEST_BASE\"; if [ -d \"\$SRC\" ]; then cp -a \"\$SRC\" \"\$DEST_BASE/\"; echo \"Backed up \$SRC -> \$DEST_BASE/images\"; else echo \"WARN: \$SRC does not exist; skipping backup\"; fi; cd /home/torsten/miriamgemeinde && ./deploy.sh'"