#cloud-config
package_update: true
write_files:
  - path: /opt/secrets/.env.prod.local
    permissions: '0600'
    content: |
      APP_ENV=prod
      APP_DEBUG=0
      APP_SECRET=${app_secret}
      APP_PORTAL_DOMAIN=${domain}
      DATABASE_URL="${database_url}"
      CORS_ALLOW_ORIGIN=${cors_allow_origin}
      TRUSTED_PROXIES=10.0.0.0/16
      HCLOUD_DNS_TOKEN=${hcloud_dns_token}
      HCLOUD_DNS_ZONE_NAME=${dns_zone_name}
      JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
      JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
      JWT_PASSPHRASE=${jwt_passphrase}
      S3_ENDPOINT=${s3_endpoint}
      S3_REGION=${s3_region}
      S3_BUCKET=${s3_bucket}
      S3_KEY=${s3_key}
      S3_SECRET=${s3_secret}
      S3_PATH_STYLE=true
      MESSENGER_TRANSPORT_DSN=doctrine://default?auto_setup=0
  - path: /opt/secrets/private.pem.b64
    permissions: '0600'
    content: ${base64encode(jwt_private_key)}
  - path: /opt/secrets/public.pem.b64
    permissions: '0644'
    content: ${base64encode(jwt_public_key)}
  - path: /opt/secrets/deploy.vars
    permissions: '0600'
    content: |
      REPO_URL=${repo_url}
      REPO_BRANCH=${repo_branch}
      DOMAIN=${domain}
      RUN_MIGRATIONS=${run_migrations}
  - path: /opt/deploy.sh
    permissions: '0755'
    content: |
      #!/usr/bin/env bash
      set -euo pipefail
      . /opt/secrets/deploy.vars
      export DEBIAN_FRONTEND=noninteractive
      command -v docker >/dev/null 2>&1 || curl -fsSL https://get.docker.com | sh
      apt-get update && apt-get install -y git
      rm -rf /opt/vcard4
      git clone --branch "$REPO_BRANCH" --depth 1 "$REPO_URL" /opt/vcard4
      cd /opt/vcard4
      cp /opt/secrets/.env.prod.local backend/.env.prod.local
      mkdir -p backend/config/jwt
      base64 -d /opt/secrets/private.pem.b64 > backend/config/jwt/private.pem
      base64 -d /opt/secrets/public.pem.b64 > backend/config/jwt/public.pem
      chmod 640 backend/config/jwt/private.pem
      # Hetzner-Privatnetz-NIC (nicht eth0) sicher per DHCP hochziehen (für DB-Zugriff).
      # Manchmal kommt das private Interface beim ersten Boot nicht hoch → DB unerreichbar.
      PRIV=$(ls /sys/class/net | grep -E '^(enp|ens)' | grep -v '^eth0$' | head -1 || true)
      if [ -n "$${PRIV:-}" ] && ! ip -4 addr show "$PRIV" | grep -q 'inet 10\.'; then
        printf '[Match]\nName=%s\n[Network]\nDHCP=ipv4\n' "$PRIV" > "/etc/systemd/network/10-$PRIV.network"
        ip link set "$PRIV" up || true
        systemctl restart systemd-networkd || true
        for i in $(seq 1 30); do ip -4 addr | grep -q 'inet 10\.' && break; sleep 2; done
      fi
      # Build + Deploy über das gemeinsame Skript (auch vom Terraform-Code-Rollout genutzt)
      DOMAIN="$DOMAIN" RUN_MIGRATIONS="$RUN_MIGRATIONS" bash /opt/vcard4/deploy/update.sh
runcmd:
  - bash /opt/deploy.sh > /var/log/vcard4-deploy.log 2>&1