name: Authelia Update Check

on:
  push:
  workflow_dispatch:
    inputs:
      args:
        description: 'Argumente (z.B. --apply)'
        default: ''

jobs:
  check-and-notify:
    runs-on: ubuntu-latest
    
    steps:
      # 1. Secrets aus Vault holen
      - name: Import Secrets from Vault
        uses: https://github.com/hashicorp/vault-action@v2
        with:
          url: https://dein-vault-server.de # <--- Deine Vault URL
          token: ${{ secrets.VAULT_TOKEN }}   # <--- Nur diesen einen Token musst du in Gitea hinterlegen
          tlsSkipVerify: false
          secrets: |
            secret/data/authelia/ssh root | SSH_PASSWORD ;
            secret/data/matrix/bot/drone-bot password | MATRIX_PASSWORD ;
            secret/data/matrix/bot/drone-bot userid | MATRIX_USERID ;
            secret/data/matrix/bot/drone-bot roomid | MATRIX_ROOMID

      # 2. SSH Step (nutzt jetzt die Variablen aus Vault)
      - name: SSH Execution and Logic
        id: ssh_step
        uses: https://github.com/appleboy/ssh-action@v1.0.3
        with:
          host: 10.0.4.18
          username: root
          password: ${{ env.SSH_PASSWORD }}
          port: 22
          script: |
            fetch -o /tmp/authelia-update.sh https://git.familie-berner.de/Open/infra-maintenance/raw/branch/main/authelia/authelia-update.sh
            chmod +x /tmp/authelia-update.sh
            
            set +e
            ARGS="${{ github.event.inputs.args }}"
            timeout 10m /tmp/authelia-update.sh $ARGS
            EXIT_CODE=$?
            set -e

            case $EXIT_CODE in
              0)  MSG="✅ Update erfolgreich / Alles aktuell" ;;
              10) MSG="ℹ Update verfügbar, aber nicht angewendet" ;;
              75) MSG="🔥 KRITISCH: Dienst startet nicht!" ;;
              *)  MSG="❌ Fehler (Code: $EXIT_CODE)" ;;
            esac

            echo "status_msg=$MSG" >> $GITHUB_OUTPUT
            echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
            if [ $CODE -gt 10 ]; then exit $CODE; fi

      # 3. Matrix Notification (nutzt ebenfalls Vault Daten)
      - name: Matrix Notification
        if: always()
        run: |
          TOKEN_JSON=$(curl -s -X POST -d "{\"type\":\"m.login.password\", \"user\":\"${{ env.MATRIX_USERID }}\", \"password\":\"${{ env.MATRIX_PASSWORD }}\"}" "https://matrix.familie-berner.de/_matrix/client/r0/login")
          TOKEN=$(echo $TOKEN_JSON | sed -nE 's/.*"access_token":"([^"]+)".*/\1/p')
          
          BODY="### Authelia Bericht\n**Status:** ${{ steps.ssh_step.outputs.status_msg }}\n**Exit-Code:** ${{ steps.ssh_step.outputs.exit_code }}"
          
          curl -s -X POST -d "{\"msgtype\":\"m.text\", \"format\":\"org.matrix.custom.html\", \"formatted_body\":\"$BODY\", \"body\":\"$BODY\"}" \
          "https://matrix.familie-berner.de/_matrix/client/r0/rooms/${{ env.MATRIX_ROOMID }}/send/m.room.message?access_token=$TOKEN"