name: CI

on:
  pull_request:
  push:
    branches: [main]

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: cachix/cachix-action@v15
        with:
          name: noisebridge-wiki
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: nix flake check
        run: nix flake check

      - name: Build wiki
        run: nix build .#nixosConfigurations.wiki.config.system.build.toplevel

      - name: Build wiki-replica
        run: nix build .#nixosConfigurations.wiki-replica.config.system.build.toplevel

  deploy:
    needs: check
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    runs-on: ubuntu-latest
    concurrency:
      group: deploy
      cancel-in-progress: false
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: cachix/cachix-action@v15
        with:
          name: noisebridge-wiki
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Connect to Tailscale
        uses: tailscale/github-action@v2
        with:
          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
          tags: tag:ci

      - name: Configure SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -t ed25519 wiki wiki-replica >> ~/.ssh/known_hosts 2>/dev/null

      - name: Deploy wiki
        run: nix run .#deploy -- .#wiki -- --ssh-opts="-o ConnectTimeout=30"

      - name: Deploy wiki-replica
        run: nix run .#deploy -- .#wiki-replica -- --ssh-opts="-o ConnectTimeout=30"