#!/usr/bin/env bash
# ==============================================================================
# deploy.sh — Deploy Dawarich LXC (Rails + Sidekiq + PostGIS + Redis)
#
# Usage:
#   ./deploy.sh                       # full deploy (prompts for vault password)
#   ./deploy.sh --tags dawarich       # dawarich role only
#   ./deploy.sh -v                    # verbose output
# ==============================================================================
set -euo pipefail

HOST_IP="$(grep -E '^[0-9]' inventory.ini | head -1 | awk '{print $1}')"
HOST_USER="cbalders"

echo "==> Checking connectivity to ${HOST_USER}@${HOST_IP} ..."
if ! ssh -o ConnectTimeout=5 -o BatchMode=yes "${HOST_USER}@${HOST_IP}" true 2>/dev/null; then
    echo "    Cannot SSH to ${HOST_IP} — refreshing host key ..."
    ssh-keygen -R "$HOST_IP" 2>/dev/null || true
    ssh-keyscan -H "$HOST_IP" >> ~/.ssh/known_hosts 2>/dev/null
fi

echo "==> Installing Ansible collections ..."
ansible-galaxy collection install -r requirements.yml --force 2>/dev/null

echo "==> Running deploy playbook ..."
ansible-playbook -i inventory.ini site.yml --ask-vault-pass "$@"

echo "==> Verifying ..."
ssh "${HOST_USER}@${HOST_IP}" bash -s <<'VERIFY'
echo "Containers:"
sudo docker ps --format '  {{.Names}}: {{.Status}}' | sort
echo "Dawarich web (TCP socket probe — Rails force_ssl redirects HTTP, smoke via Caddy after Caddy deploy):"
sudo docker exec dawarich_app ruby -rsocket -e 'TCPSocket.new("localhost",3000).close' 2>/dev/null && echo "  :3000 LISTENING" || echo "  UNREACHABLE"
echo "Postgis (probed from dawarich_app):"
sudo docker exec dawarich_app sh -c 'pg_isready -h dawarich_db -U dawarich' 2>/dev/null || echo "  (pg unreachable)"
VERIFY

echo "==> Done."