name: Build and Deploy
on:
  push:
    branches: [main]

# The runner has capacity=1 so these serialize; order matters for the
# healthcheck (muffin runs last so yarn's pull-update can test against the
# freshly-deployed harmonia if needed).

jobs:
  mreow:
    runs-on: nix
    steps:
      - uses: https://github.com/actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Unlock git-crypt
        run: git-crypt unlock /run/agenix/git-crypt-key-nixos

      - name: Build mreow
        run: nix build .#nixosConfigurations.mreow.config.system.build.toplevel -L

      - name: Record mreow store path
        continue-on-error: true
        run: |
          install -d /var/lib/nix-deploy
          readlink -f result > /var/lib/nix-deploy/mreow
          nix-store --add-root /var/lib/nix-deploy/mreow-gcroot -r "$(readlink -f result)"

  yarn:
    runs-on: nix
    steps:
      - uses: https://github.com/actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Unlock git-crypt
        run: git-crypt unlock /run/agenix/git-crypt-key-nixos

      - name: Build yarn
        run: nix build .#nixosConfigurations.yarn.config.system.build.toplevel -L

      - name: Record yarn store path for pull-update
        continue-on-error: true
        run: |
          install -d /var/lib/nix-deploy
          readlink -f result > /var/lib/nix-deploy/yarn
          nix-store --add-root /var/lib/nix-deploy/yarn-gcroot -r "$(readlink -f result)"

  muffin:
    runs-on: nix
    env:
      GIT_SSH_COMMAND: "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"
    steps:
      - uses: https://github.com/actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Unlock git-crypt
        run: git-crypt unlock /run/agenix/git-crypt-key-nixos

      - name: Build muffin
        run: nix build .#nixosConfigurations.muffin.config.system.build.toplevel -L

      - name: Deploy via deploy-rs
        run: |
          eval $(ssh-agent -s)
          ssh-add /run/agenix/ci-deploy-key
          nix run github:serokell/deploy-rs -- .#muffin --skip-checks --ssh-opts="-o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts"

      - name: Health check
        run: |
          sleep 10
          ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts root@server-public \
            "systemctl is-active gitea && systemctl is-active caddy && systemctl is-active continuwuity && systemctl is-active coturn"

      - name: Notify success
        if: success()
        run: |
          TOPIC=$(cat /run/agenix/ntfy-alerts-topic | tr -d '[:space:]')
          TOKEN=$(cat /run/agenix/ntfy-alerts-token | tr -d '[:space:]')
          curl -sf -o /dev/null -X POST \
            "https://ntfy.sigkill.computer/$TOPIC" \
            -H "Authorization: Bearer $TOKEN" \
            -H "Title: [muffin] Deploy succeeded" \
            -H "Priority: default" \
            -H "Tags: white_check_mark" \
            -d "nixos deployed from commit ${GITHUB_SHA::8}"

      - name: Notify failure
        if: failure()
        run: |
          TOPIC=$(cat /run/agenix/ntfy-alerts-topic 2>/dev/null | tr -d '[:space:]')
          TOKEN=$(cat /run/agenix/ntfy-alerts-token 2>/dev/null | tr -d '[:space:]')
          curl -sf -o /dev/null -X POST \
            "https://ntfy.sigkill.computer/$TOPIC" \
            -H "Authorization: Bearer $TOKEN" \
            -H "Title: [muffin] Deploy FAILED" \
            -H "Priority: urgent" \
            -H "Tags: rotating_light" \
            -d "nixos muffin deploy failed at commit ${GITHUB_SHA::8}" || true