name: Build Gateway Image

on:
  push:
    branches: [master]
  workflow_dispatch:

env:
  DEPLOY_PATH: /opt/vpn-proxy

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repository
        env:
          GIT_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          SERVER_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
          git clone --depth 2 "http://${{ gitea.actor }}:${GIT_TOKEN}@${SERVER_HOST}/${{ gitea.repository }}.git" .
          git checkout ${{ gitea.sha }}

      - name: Build and push gateway image
        run: |
          REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
          IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}/gateway"

          echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "$REGISTRY_HOST" -u "${{ gitea.actor }}" --password-stdin
          docker build -t "${IMAGE}:latest" -t "${IMAGE}:${{ gitea.sha }}" .
          docker push "${IMAGE}:latest"
          docker push "${IMAGE}:${{ gitea.sha }}"

  deploy:
    needs: build
    runs-on: lxc-111
    steps:
      - name: Deploy gateway to LXC 111
        run: |
          set -euo pipefail

          REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
          IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}/gateway"

          echo "Logging into registry..."
          echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "$REGISTRY_HOST" -u "${{ gitea.actor }}" --password-stdin

          echo "Preparing deploy directory: ${{ env.DEPLOY_PATH }}"
          mkdir -p "${{ env.DEPLOY_PATH }}"

          cat > "${{ env.DEPLOY_PATH }}/docker-compose.server.yml" <<EOF
          services:
            vpn-proxy-gateway:
              image: ${IMAGE}:latest
              container_name: vpn-proxy-gateway
              network_mode: host
              cap_add:
                - NET_ADMIN
                - NET_RAW
              env_file:
                - .env
              environment:
                DATA_DIR: /var/lib/vpn-proxy
                SING_BOX_CONFIG: /etc/sing-box/config.json
                SING_BOX_CACHE: /var/lib/sing-box/cache.db
              volumes:
                - vpn-proxy-data:/var/lib/vpn-proxy
                - sing-box-cache:/var/lib/sing-box
              restart: unless-stopped

          volumes:
            vpn-proxy-data:
            sing-box-cache:
          EOF

          if [ ! -f "${{ env.DEPLOY_PATH }}/.env" ]; then
            cat > "${{ env.DEPLOY_PATH }}/.env" <<'EOF'
          PORT=3456
          PROXY_PORT=8080
          TPROXY_PORT=7895
          TPROXY_MARK=1
          TPROXY_TABLE=100
          TPROXY_CHAIN=VPN_PROXY_TPROXY
          ROUTING_RU_DIRECT=true
          LOG_LEVEL=info
          EOF
            echo "Created default .env. Existing deployments can edit ${{ env.DEPLOY_PATH }}/.env and it will be preserved."
          else
            echo "Preserving existing .env"
          fi

          cd "${{ env.DEPLOY_PATH }}"

          echo "Pulling latest image..."
          docker compose -f docker-compose.server.yml pull

          echo "Starting gateway..."
          docker compose -f docker-compose.server.yml up -d

          echo "Current container:"
          docker ps --filter "name=vpn-proxy-gateway"