#!/usr/bin/env sh
set -eu

STACK_NAME="${STACK_NAME:-ksef_app}"
COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.yml}"
SSL_DIR="${SSL_DIR:-./deploy/caddy/ssl}"
APP_DOMAIN="${APP_DOMAIN:-localhost}"
CERT_FILE="${CERT_FILE:-${SSL_DIR}/server.crt}"
KEY_FILE="${KEY_FILE:-${SSL_DIR}/server.key}"

log() {
  printf '%s\n' "$*"
}

need_cmd() {
  command -v "$1" >/dev/null 2>&1 || {
    printf 'Brak wymaganego polecenia: %s\n' "$1" >&2
    exit 1
  }
}

need_cmd docker
need_cmd openssl

mkdir -p "$SSL_DIR"

if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; then
  log "Nie znaleziono certyfikatu SSL w katalogu ${SSL_DIR}, tworzę self-signed cert..."
  rm -f "$CERT_FILE" "$KEY_FILE"
  openssl req -x509 -nodes -newkey rsa:4096 -sha256 -days 825 \
    -keyout "$KEY_FILE" \
    -out "$CERT_FILE" \
    -subj "/CN=${APP_DOMAIN}" \
    -addext "subjectAltName=DNS:${APP_DOMAIN},DNS:localhost,IP:127.0.0.1"
  chmod 600 "$KEY_FILE"
  chmod 644 "$CERT_FILE"
else
  log "Znaleziono istniejący certyfikat SSL w katalogu ${SSL_DIR}."
fi

log "Pobieram najnowsze obrazy bazowe..."
docker compose -f "$COMPOSE_FILE" pull

log "Buduję obraz bez cache..."
docker compose -f "$COMPOSE_FILE" build --no-cache

log "Zatrzymuję aktualny stack..."
docker compose -p "$STACK_NAME" -f "$COMPOSE_FILE" stop || true

log "Usuwam osierocone kontenery i stare nieużywane obrazy..."
docker compose -p "$STACK_NAME" -f "$COMPOSE_FILE" down --remove-orphans || true
docker image prune -af || true
docker builder prune -af || true

authoritative_stack="${STACK_NAME}"
log "Uruchamiam stack ${authoritative_stack}..."
docker compose -p "$STACK_NAME" -f "$COMPOSE_FILE" up -d

log "Deployment zakończony. Aplikacja powinna być dostępna pod https://${APP_DOMAIN}"