name: Deploy to plate-software.de

# Push to main -> this self-hosted runner (cannamanage-act-runner on TrueNAS)
# rsyncs the static contents of site/ to the IONOS Apache DocumentRoot
# (/var/www/html on 82.165.206.45). No --delete is used, so unrelated
# content already on the server (downloads/, owncloud/, .well-known/,
# index.html.bak.*, etc.) is left untouched.
#
# Requires one repo secret (Settings -> Actions -> Secrets):
#   IONOS_DEPLOY_KEY : private ed25519 key whose public half is in
#                      root@82.165.206.45:~/.ssh/authorized_keys

on:
  push:
    branches: [main]
  workflow_dispatch:

concurrency:
  group: ionos-web-deploy
  cancel-in-progress: false

env:
  DEPLOY_HOST: 82.165.206.45
  DEPLOY_USER: root
  DEPLOY_PATH: /var/www/html/

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Check out pushed commit
        uses: actions/checkout@v4

      - name: Ensure rsync + ssh present
        run: |
          set -euo pipefail
          if ! command -v rsync >/dev/null 2>&1; then
            apt-get update -y && apt-get install -y rsync openssh-client
          fi
          # Avoid `rsync --version | head` — head closing the pipe early sends
          # SIGPIPE to rsync (exit 141) which trips `pipefail`. Print plainly.
          ver=$(rsync --version | sed -n '1p')
          echo "Using $ver"

      - name: Load deploy key
        run: |
          set -euo pipefail
          mkdir -p ~/.ssh
          printf '%s\n' "${{ secrets.IONOS_DEPLOY_KEY }}" > ~/.ssh/id_deploy
          chmod 600 ~/.ssh/id_deploy
          ssh-keyscan -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts 2>/dev/null
          chmod 600 ~/.ssh/known_hosts

      - name: Rsync site/ to IONOS DocumentRoot
        run: |
          set -euo pipefail
          rsync -az --no-perms --no-owner --no-group --omit-dir-times \
            -e "ssh -i ~/.ssh/id_deploy -o IdentitiesOnly=yes" \
            site/ "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}"
          echo "✅ Synced site/ -> ${DEPLOY_HOST}:${DEPLOY_PATH}"

      - name: Verify live
        run: |
          set -euo pipefail
          code=$(ssh -i ~/.ssh/id_deploy -o IdentitiesOnly=yes \
            "${DEPLOY_USER}@${DEPLOY_HOST}" \
            "curl -s -o /dev/null -w '%{http_code}' http://localhost/ -H 'Host: plate-software.de'")
          echo "Local origin HTTP $code"
          [ "$code" = "200" ] || { echo "❌ unexpected status"; exit 1; }
          echo "✅ plate-software.de serving HTTP 200"

      - name: Summary
        run: |
          echo "=== plate-software.de deployed ==="
          echo "Commit: ${GITHUB_SHA}"
          echo "Live:   https://plate-software.de"