stages: [install, build, deploy]

variables:
  NODE_ENV: production
  BUILD_DIR: dist

# Gemeinsames pnpm-Setup für alle Node-Jobs
.node_pnpm: &node_pnpm
  image: node:20-bullseye
  before_script:
    - echo "🧩 Corepack/Pnpm aktivieren..."
    - corepack enable
    - corepack prepare pnpm@9.12.0 --activate
    - pnpm -v

cache:
  key: ${CI_COMMIT_REF_SLUG}
  paths:
    - node_modules/

install:
  stage: install
  <<: *node_pnpm
  script:
    - echo "📦 Installing deps..."
    # Nutze --frozen-lockfile nur, wenn pnpm-lock.yaml im Repo committed ist
    - if [ -f pnpm-lock.yaml ]; then pnpm install --frozen-lockfile --reporter=append-only; else pnpm install --reporter=append-only; fi
  artifacts:
    paths:
      - node_modules/
    expire_in: 1h

build:
  stage: build
  <<: *node_pnpm
  script:
    - echo "🏗️ Building..."
    - pnpm build
    - echo "✅ Build complete."
  artifacts:
    paths:
      - ${BUILD_DIR}/
    expire_in: 1 week

.deploy_template: &deploy
  stage: deploy
  image: alpine:3.20
  before_script:
    - apk add --no-cache openssh-client rsync
    - mkdir -p ~/.ssh
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
    - chmod 600 ~/.ssh/id_ed25519
    - ssh-keyscan -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts
  script:
    - rsync -az --delete ${BUILD_DIR}/ $DEPLOY_USER@$DEPLOY_HOST:$DEPLOY_PATH

deploy:staging:
  <<: *deploy
  variables:
    DEPLOY_PATH: /www/htdocs/w020df28/projects/usbcheck/staging/
  environment:
    name: staging
    url: https://staging.usbcheck.it
  only:
    - develop
    - merge_requests

deploy:production:
  <<: *deploy
  variables:
    DEPLOY_PATH: /www/htdocs/w020df28/projects/usbcheck/web/
  environment:
    name: production
    url: https://www.usbcheck.it
  only:
    - main
  when: manual


  ssh:diagnose:
  stage: deploy
  image: alpine:3.20
  script:
    - apk add --no-cache openssh-client
    - mkdir -p ~/.ssh && chmod 700 ~/.ssh
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
    - chmod 600 ~/.ssh/id_ed25519

    # zeige Fingerprint & public key (sollte zum KAS-Eintrag passen)
    - echo "Public key derived from private key:"
    - ssh-keygen -y -f ~/.ssh/id_ed25519 | tee /tmp/ci_pubkey.pub
    - echo "Fingerprint:"; ssh-keygen -lf ~/.ssh/id_ed25519

    # Hostkey anlernen
    - ssh-keyscan -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts

    # Sehr ausführlicher Login-Test (ohne Befehl)
    - echo "Trying SSH with -vvv..."
    - ssh -vvv -o IdentitiesOnly=yes -o PreferredAuthentications=publickey $DEPLOY_USER@$DEPLOY_HOST 'echo OK'
  when: manual