#!/usr/bin/env sh
# Deploy (or update) the predictor stack to a Docker Swarm via the Swarmpit
# REST API, then trigger a redeploy so running services pick up the new image.
#
# Required env: SWARMPIT_URL, SWARMPIT_TOKEN, STACK_NAME, TAG
# Optional env: CA_CERTIFICATES (PEM bundle for a private Swarmpit TLS CA)
set -eu

: "${SWARMPIT_URL:?SWARMPIT_URL is required}"
: "${SWARMPIT_TOKEN:?SWARMPIT_TOKEN is required}"
: "${STACK_NAME:?STACK_NAME is required}"
TAG="${TAG:-latest}"

# Pin the image tag in the compose we send (replace the ${TAG:-latest} default
# with the concrete tag) so the exact built image is what gets deployed.
sed "s|:\${TAG:-latest}|:${TAG}|g" docker-compose.swarm.yml > /tmp/stack.yml

CA_OPT=""
if [ -n "${CA_CERTIFICATES:-}" ]; then
  echo "${CA_CERTIFICATES}" > /tmp/swarmpit-ca.crt
  CA_OPT="--cacert /tmp/swarmpit-ca.crt"
fi

compose_json=$(jq -Rs . < /tmp/stack.yml)
jq -n --arg name "${STACK_NAME}" --argjson compose "${compose_json}" \
  '{name: $name, spec: {compose: $compose}}' > /tmp/swarmpit-payload.json

echo "Deploying stack '${STACK_NAME}' (tag ${TAG}) to ${SWARMPIT_URL}"
curl -fsS -X POST "${SWARMPIT_URL}/api/stacks/${STACK_NAME}" \
  -H "authorization: Bearer ${SWARMPIT_TOKEN}" \
  -H "Content-Type: application/json" \
  -d @/tmp/swarmpit-payload.json \
  --max-time 60 ${CA_OPT}

echo "Triggering redeploy"
curl -fsS -X POST "${SWARMPIT_URL}/api/stacks/${STACK_NAME}/redeploy" \
  -H "authorization: Bearer ${SWARMPIT_TOKEN}" \
  --max-time 60 ${CA_OPT} || echo "redeploy trigger failed; services may still roll forward via autoredeploy"

rm -f /tmp/stack.yml /tmp/swarmpit-payload.json /tmp/swarmpit-ca.crt
echo "Done."