#!/usr/bin/env bash
set -euo pipefail

die() {
  printf 'ERROR: %s\n' "$*" >&2
  exit 1
}

require_env() {
  local key="$1"
  [[ -n "${!key:-}" ]] || die "Missing required env: $key"
}

require_env IMAGE_DEPLOY_BUNDLE_FILE
require_env DEPLOY_HOST
require_env DEPLOY_USER
require_env DEPLOY_PATH
require_env HARBOR_ENDPOINT
require_env HARBOR_ROBOT_ACCOUNT
require_env HARBOR_ROBOT_KEY

[[ -f "$IMAGE_DEPLOY_BUNDLE_FILE" ]] || die "bundle file not found: $IMAGE_DEPLOY_BUNDLE_FILE"

remote_bundle="/tmp/baron-sso-image-deploy-$(date -u '+%Y%m%d%H%M%S').tgz"

ssh-keyscan -H "$DEPLOY_HOST" >>~/.ssh/known_hosts
scp "$IMAGE_DEPLOY_BUNDLE_FILE" "${DEPLOY_USER}@${DEPLOY_HOST}:${remote_bundle}"

echo "$HARBOR_ROBOT_KEY" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}" \
  "set -euo pipefail; \
   mkdir -p '${DEPLOY_PATH}'; \
   tar -xzf '${remote_bundle}' -C '${DEPLOY_PATH}'; \
   cd '${DEPLOY_PATH}'; \
   chmod 600 .env; \
   docker network inspect traefik-public >/dev/null 2>&1 || docker network create traefik-public; \
   docker login '${HARBOR_ENDPOINT}' -u '${HARBOR_ROBOT_ACCOUNT}' --password-stdin; \
   docker compose --env-file .env -f docker-compose.yml pull; \
   docker compose --env-file .env -f docker-compose.yml up -d --remove-orphans; \
   docker compose --env-file .env -f docker-compose.yml ps"