// Single source of truth for env injection.
// Adding/removing a variable means editing one `keys` list — nothing else.
// `path` is the Vault KV path; `file` is the output path relative to ${WORKSPACE}.
def ENV_LAYOUT = [
    [path: 'ggh-prod/root', file: '.env', keys: [
        'POSTGRES_DB', 'POSTGRES_PASSWORD', 'POSTGRES_USER',
    ]],
    [path: 'ggh-prod/backend', file: 'backend/.env', keys: [
        'BYTESCALE_SECRET_API_KEY',
        'CORS_ALLOWED_ORIGINS',
        'DATABASE_URL',
        'EMAIL_FROM',
        'JWT_SECRET',
        'PORT',
        'POSTMARK_API_KEY',
    ]],
    [path: 'ggh-prod/dashboard-frontend', file: 'frontend/.env', keys: [
        'VITE_API_URL',
    ]],
]

pipeline {
    agent {
        label 'jagent06'
    }

    options {
        disableConcurrentBuilds()
    }

    environment {
        REMOTE_HOST       = "root@170.187.237.83"
        REMOTE_DEPLOY_DIR = "/root/gg-backend"
        SSH_CREDENTIALS_ID = "ssh_id_ed25519"
        COMPOSE_FILE      = "docker-compose.prod.yml"
    }

    stages {
        stage('Checkout Code') {
            steps {
                git credentialsId: 'SYS_BOT_PAT', url: 'https://gt.mgsigma.net/GGH/gg-backend.git', branch: 'main'
            }
        }

        stage('Inject .env from Vault') {
            steps {
                script {
                    def vaultSecrets = ENV_LAYOUT.collect { layer ->
                        [
                            path: layer.path,
                            engineVersion: 2,
                            secretValues: layer.keys.collect { k ->
                                [vaultKey: k, envVar: k]
                            }
                        ]
                    }

                    def writtenFiles = ENV_LAYOUT.collect { it.file }.join(', ')

                    withVault(
                        configuration: [
                            vaultUrl: 'https://vault.mgsigma.net',
                            vaultCredentialId: 'vault-cicd-01'
                        ],
                        vaultSecrets: vaultSecrets
                    ) {
                        // Single-quoted sh + withEnv keeps secret names out of the
                        // Groovy GString. Values are read at shell runtime via
                        // `printenv`, so Jenkins's static analyzer has nothing to flag.
                        ENV_LAYOUT.each { layer ->
                            withEnv([
                                "ENV_FILE=${layer.file}",
                                "ENV_KEYS=${layer.keys.join(' ')}"
                            ]) {
                                sh '''
                                    set +x
                                    umask 077
                                    mkdir -p "$(dirname "$WORKSPACE/$ENV_FILE")"
                                    : > "$WORKSPACE/$ENV_FILE"
                                    for k in $ENV_KEYS; do
                                        printf '%s=%s\n' "$k" "$(printenv "$k")" >> "$WORKSPACE/$ENV_FILE"
                                    done
                                '''
                            }
                        }
                        echo "[INFO] env files written: ${writtenFiles}"
                    }
                }
            }
        }

        stage('Sync sources to prod VPS') {
            steps {
                sshagent (credentials: ["${env.SSH_CREDENTIALS_ID}"]) {
                    sh """
                        ssh -o StrictHostKeyChecking=no $REMOTE_HOST 'mkdir -p $REMOTE_DEPLOY_DIR'
                        rsync -az --delete \\
                            --exclude='.git/' \\
                            --exclude='node_modules/' \\
                            --exclude='backend/node_modules/' \\
                            --exclude='frontend/node_modules/' \\
                            --exclude='frontend/dist/' \\
                            -e "ssh -o StrictHostKeyChecking=no" \\
                            ./ $REMOTE_HOST:$REMOTE_DEPLOY_DIR/
                    """
                }
            }
        }

        stage('Deploy on prod VPS') {
            steps {
                sshagent (credentials: ["${env.SSH_CREDENTIALS_ID}"]) {
                    sh """
                        ssh -o StrictHostKeyChecking=no $REMOTE_HOST '
                            set -e
                            cd $REMOTE_DEPLOY_DIR

                            if [ -n "\$(docker compose -f $COMPOSE_FILE ps -q 2>/dev/null)" ]; then
                                echo "[INFO] Stopping existing containers..."
                                docker compose -f $COMPOSE_FILE down --remove-orphans
                            else
                                echo "[INFO] No running containers — skipping stop."
                            fi

                            docker image prune -f >/dev/null 2>&1 || true

                            echo "[INFO] Building and starting services..."
                            docker compose -f $COMPOSE_FILE up -d --build --remove-orphans
                        '
                    """
                }
            }
        }
    }

    post {
        always {
            script {
                env.BUILD_INFO_HASH = sh(
                    script: "git rev-parse --short HEAD 2>/dev/null || echo N/A",
                    returnStdout: true
                ).trim()
                env.BUILD_INFO_AUTHOR = sh(
                    script: "git log -1 --pretty=format:'%an' 2>/dev/null || echo N/A",
                    returnStdout: true
                ).trim()
                env.BUILD_INFO_MESSAGE = sh(
                    script: "git log -1 --pretty=format:'%s' 2>/dev/null || echo 'No commit message found'",
                    returnStdout: true
                ).trim()

                def cause = currentBuild.getBuildCauses()?.getAt(0)?.shortDescription ?: 'Unknown'
                env.BUILD_INFO_TRIGGER = cause.contains('Started by user') ? 'Manual trigger' : cause
            }
        }
        success {
            script {
                emailext(
                    subject: "[PRODUCTION] ${env.JOB_NAME} #${env.BUILD_NUMBER} succeeded",
                    body: renderEmail('Build succeeded', '#16a34a', buildInfo()),
                    mimeType: 'text/html',
                    to: 'admin@msigmagokulam.com, ashir@mgsigma.net, kailasdevdas@msigmagokulam.com'
                )
            }
        }
        failure {
            script {
                emailext(
                    subject: "[PRODUCTION] ${env.JOB_NAME} #${env.BUILD_NUMBER} failed",
                    body: renderEmail('Build failed', '#dc2626', buildInfo()),
                    mimeType: 'text/html',
                    to: 'admin@msigmagokulam.com, ashir@mgsigma.net, kailasdevdas@msigmagokulam.com'
                )
            }
        }
    }
}

def buildInfo() {
    return [
        hash:     env.BUILD_INFO_HASH ?: 'N/A',
        author:   env.BUILD_INFO_AUTHOR ?: 'N/A',
        message:  env.BUILD_INFO_MESSAGE ?: 'N/A',
        trigger:  env.BUILD_INFO_TRIGGER ?: 'Unknown',
        duration: currentBuild.durationString.replace(' and counting', '')
    ]
}

def renderEmail(String label, String accent, Map info) {
    return """\
<!DOCTYPE html>
<html>
<body style="margin:0; padding:0; background-color:#f6f7f9;">
<table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="background-color:#f6f7f9; padding:40px 16px;">
  <tr><td align="center">
    <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="560" style="max-width:560px; background:#ffffff; border-radius:12px; overflow:hidden; box-shadow:0 1px 3px rgba(15,23,42,0.08); font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Helvetica,Arial,sans-serif;">
      <tr><td style="height:3px; background:${accent};"></td></tr>
      <tr><td style="padding:32px 40px 0 40px;">
        <div style="font-size:12px; font-weight:600; color:${accent}; letter-spacing:0.8px; text-transform:uppercase; margin-bottom:6px;">${label} · production</div>
        <div style="font-size:20px; font-weight:600; color:#0f172a; line-height:1.35;">${env.JOB_NAME}<span style="color:#94a3b8; font-weight:400;"> &middot; #${env.BUILD_NUMBER}</span></div>
      </td></tr>
      <tr><td style="padding:20px 40px 8px 40px;">
        <table role="presentation" cellpadding="0" cellspacing="0" border="0" width="100%" style="font-size:14px; color:#0f172a;">
          <tr><td width="110" style="padding:7px 0; color:#64748b;">Commit</td><td style="padding:7px 0; font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace; font-size:13px;">${info.hash}</td></tr>
          <tr><td style="padding:7px 0; color:#64748b;">Author</td><td style="padding:7px 0;">${info.author}</td></tr>
          <tr><td style="padding:7px 0; color:#64748b; vertical-align:top;">Message</td><td style="padding:7px 0;">${info.message}</td></tr>
          <tr><td style="padding:7px 0; color:#64748b;">Triggered by</td><td style="padding:7px 0;">${info.trigger}</td></tr>
          <tr><td style="padding:7px 0; color:#64748b;">Duration</td><td style="padding:7px 0;">${info.duration}</td></tr>
        </table>
      </td></tr>
      <tr><td style="padding:20px 40px 32px 40px;">
        <a href="${env.BUILD_URL}" style="display:inline-block; padding:10px 18px; background:#0f172a; color:#ffffff; text-decoration:none; border-radius:8px; font-size:14px; font-weight:500;">View build</a>
        <a href="${env.BUILD_URL}console" style="display:inline-block; padding:10px 14px; color:#475569; text-decoration:none; font-size:14px; font-weight:500;">Console output &rarr;</a>
      </td></tr>
      <tr><td style="padding:14px 40px; background:#f8fafc; border-top:1px solid #e2e8f0; font-size:12px; color:#94a3b8;">
        Automated notification from Jenkins
      </td></tr>
    </table>
  </td></tr>
</table>
</body>
</html>
"""
}