name: Initialize SFP Server

on:
  workflow_dispatch:
    inputs:
      force:
        description: 'Force re-initialization (destroys existing data)'
        type: boolean
        default: false
      tls_mode:
        description: 'TLS certificate mode'
        type: choice
        options:
          - 'letsencrypt'
          - 'custom'
        default: 'letsencrypt'

jobs:
  init:
    name: 'Initialize server'
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Validate required variables
        run: |
          MISSING=""
          [ -z "${{ vars.SSH_HOST }}" ] && MISSING="$MISSING SSH_HOST"
          [ -z "${{ vars.TENANT_NAME }}" ] && MISSING="$MISSING TENANT_NAME"
          [ -z "${{ vars.DOMAIN }}" ] && MISSING="$MISSING DOMAIN"
          [ -z "${{ vars.DOCKER_REGISTRY }}" ] && MISSING="$MISSING DOCKER_REGISTRY"
          [ -z "${{ vars.IMAGE_FQDN }}" ] && MISSING="$MISSING IMAGE_FQDN"

          if [ -n "$MISSING" ]; then
            echo "Missing required GitHub Variables:$MISSING"
            echo ""
            echo "Configure these in: Settings > Secrets and variables > Actions > Variables"
            exit 1
          fi

      - name: Setup SFP CLI and SSH
        id: setup
        uses: ./.github/actions/setup-sfp
        with:
          docker-registry: ${{ vars.DOCKER_REGISTRY }}
          docker-registry-token: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
          image-fqdn: ${{ vars.IMAGE_FQDN }}
          image-tag: ${{ vars.IMAGE_TAG || 'latest' }}
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
          ssh-host: ${{ vars.SSH_HOST }}

      - name: Initialize server
        env:
          DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
          DOCKER_REGISTRY_TOKEN: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
          ORIGIN_CERT: ${{ secrets.ORIGIN_CERT }}
          ORIGIN_KEY: ${{ secrets.ORIGIN_KEY }}
          SFP_IMAGE: ${{ steps.setup.outputs.sfp-image }}
        run: |
          TENANT="${{ vars.TENANT_NAME }}"
          DOMAIN="${{ vars.DOMAIN }}"
          SSH_USER="${{ vars.SSH_USER || 'root' }}"
          SSH_HOST="${{ vars.SSH_HOST }}"
          TLS_MODE="${{ inputs.tls_mode }}"
          WORKERS="${{ vars.WORKERS || '1' }}"
          BASE_DIR="${{ vars.BASE_DIR || './sfp-server' }}"
          IMAGE_FQDN="${{ vars.IMAGE_FQDN }}"
          IMAGE_TAG="${{ vars.IMAGE_TAG || 'latest' }}"

          echo "Initializing SFP Server"
          echo "  Tenant:   $TENANT"
          echo "  Domain:   $DOMAIN"
          echo "  Host:     $SSH_HOST"
          echo "  TLS Mode: $TLS_MODE"
          echo "  Workers:  $WORKERS"
          echo "  Image:    $SFP_IMAGE"

          # Build the init command
          INIT_CMD="sfp server init"
          INIT_CMD="$INIT_CMD --tenant \"$TENANT\""
          INIT_CMD="$INIT_CMD --mode prod"
          INIT_CMD="$INIT_CMD --domain \"$DOMAIN\""
          INIT_CMD="$INIT_CMD --tls-mode \"$TLS_MODE\""
          INIT_CMD="$INIT_CMD --workers $WORKERS"
          INIT_CMD="$INIT_CMD --base-dir \"$BASE_DIR\""
          INIT_CMD="$INIT_CMD --supabase-mode self-hosted"
          INIT_CMD="$INIT_CMD --secrets-provider custom"
          INIT_CMD="$INIT_CMD --no-interactive"
          INIT_CMD="$INIT_CMD --ssh-connection \"$SSH_USER@$SSH_HOST\""
          INIT_CMD="$INIT_CMD --identity-file /root/.ssh/deploy_key"
          INIT_CMD="$INIT_CMD --image \"${IMAGE_FQDN}:${IMAGE_TAG}\""

          if [ "${{ inputs.force }}" = "true" ]; then
            INIT_CMD="$INIT_CMD --force"
          fi

          # Run sfp CLI from inside the Docker image
          # Copy SSH key into a temp dir with correct permissions (container may not run as root)
          SSH_DIR=$(mktemp -d)
          cp ~/.ssh/deploy_key "$SSH_DIR/deploy_key"
          cp ~/.ssh/known_hosts "$SSH_DIR/known_hosts"
          chmod 600 "$SSH_DIR/deploy_key"
          chmod 644 "$SSH_DIR/known_hosts"

          docker run --rm \
            --user root \
            -v "$SSH_DIR/deploy_key":/root/.ssh/deploy_key \
            -v "$SSH_DIR/known_hosts":/root/.ssh/known_hosts \
            -e DOCKER_REGISTRY \
            -e DOCKER_REGISTRY_TOKEN \
            -e ORIGIN_CERT \
            -e ORIGIN_KEY \
            "$SFP_IMAGE" \
            bash -c "chmod 600 /root/.ssh/deploy_key && $INIT_CMD"

          rm -rf "$SSH_DIR"

      - name: Output init results
        if: always()
        run: |
          TENANT="${{ vars.TENANT_NAME }}"

          echo "## SFP Server Initialization" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Configuration" >> $GITHUB_STEP_SUMMARY
          echo "| Setting | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|---------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| Tenant | $TENANT |" >> $GITHUB_STEP_SUMMARY
          echo "| Domain | ${{ vars.DOMAIN }} |" >> $GITHUB_STEP_SUMMARY
          echo "| Host | ${{ vars.SSH_HOST }} |" >> $GITHUB_STEP_SUMMARY
          echo "| TLS Mode | ${{ inputs.tls_mode }} |" >> $GITHUB_STEP_SUMMARY
          echo "| Image | ${{ steps.setup.outputs.sfp-image }} |" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Next Steps" >> $GITHUB_STEP_SUMMARY
          echo "1. Verify the server is accessible at \`https://${{ vars.DOMAIN }}\`" >> $GITHUB_STEP_SUMMARY
          echo "2. Configure integrations (GitHub OAuth, GitHub App, Slack) via the integration API or by editing \`.env\` on the server" >> $GITHUB_STEP_SUMMARY
          echo "3. Use the **Update SFP Server** workflow for future updates" >> $GITHUB_STEP_SUMMARY