---
name: Ansible Minecraft CI/CD Pipeline

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

env:
  ANSIBLE_FORCE_COLOR: 1
  ANSIBLE_HOST_KEY_CHECKING: false

jobs:
  lint:
    name: Ansible Lint Check
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
        
    - name: Install dependencies
      run: |
        pip install ansible ansible-lint yamllint
        
    - name: Run yamllint
      run: |
        yamllint -c .yamllint.yml .
      continue-on-error: true

    - name: Run ansible-lint
      run: |
        ansible-lint --project-dir . playbooks/
      continue-on-error: true

    - name: Validate Ansible syntax
      run: |
        ansible-playbook --syntax-check playbooks/site.yml -i inventories/staging/hosts.yml
      continue-on-error: true

  structure-validation:
    name: Project Structure Validation
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Validate required files
      run: |
        # Check main playbook exists
        [ -f "playbooks/site.yml" ] || exit 1
        
        # Check all roles exist with required structure
        for role in 01-server_hardening 02-installation-java 03-installation-minecraft 04-backups 05-update; do
          [ -d "roles/$role" ] || exit 1
          [ -d "roles/$role/tasks" ] || exit 1
          [ -d "roles/$role/handlers" ] || exit 1
          [ -d "roles/$role/templates" ] || exit 1
          [ -d "roles/$role/vars" ] || exit 1
          [ -d "roles/$role/defaults" ] || exit 1
          [ -f "roles/$role/tasks/main.yml" ] || exit 1
          [ -f "roles/$role/handlers/main.yml" ] || exit 1
          [ -f "roles/$role/vars/main.yml" ] || exit 1
          [ -f "roles/$role/defaults/main.yml" ] || exit 1
        done
        
        # Check inventories exist
        [ -d "inventories/production" ] || exit 1
        [ -d "inventories/staging" ] || exit 1
        [ -f "inventories/production/hosts.yml" ] || exit 1
        [ -f "inventories/staging/hosts.yml" ] || exit 1
        
        echo "Project structure validation passed"

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Check for secrets in files
      run: |
        # Check for potential secrets (excluding example files)
        if grep -r -i "password\|secret\|key" --include="*.yml" --include="*.yaml" --exclude="*example*" --exclude="*template*" .; then
          echo "WARNING: Potential secrets found in files"
          echo "Please ensure all sensitive data uses Gitea secrets or ansible-vault"
        fi
        
    - name: Check for hardcoded IPs
      run: |
        # Allow example IPs in inventory files
        if grep -r -E '([0-9]{1,3}\.){3}[0-9]{1,3}' --include="*.yml" --include="*.yaml" . | grep -v "192.168.1" | grep -v "127.0.0.1" | grep -v "inventories/"; then
          echo "WARNING: Hardcoded IP addresses found"
        fi

  deploy-staging:
    name: Deploy to Staging
    runs-on: ubuntu-latest
    needs: [lint, structure-validation, security-scan]
    if: github.ref == 'refs/heads/develop'
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
        
    - name: Install Ansible
      run: |
        pip install ansible
        
    - name: Setup SSH key
      run: |
        mkdir -p ~/.ssh
        echo "${{ secrets.ANSIBLE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
        chmod 600 ~/.ssh/id_rsa
        
    - name: Test staging connectivity
      run: |
        ansible all -i inventories/staging/hosts.yml -m ping
        
    - name: Deploy to staging (dry-run)
      run: |
        ansible-playbook playbooks/site.yml \
          -i inventories/staging/hosts.yml \
          --check \
          --diff

  deploy-production:
    name: Deploy to Production
    runs-on: ubuntu-latest
    needs: [lint, structure-validation, security-scan]
    if: github.ref == 'refs/heads/main'
    environment: production
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
        
    - name: Install Ansible
      run: |
        pip install ansible
        
    - name: Setup SSH key
      run: |
        mkdir -p ~/.ssh
        echo "${{ secrets.ANSIBLE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
        chmod 600 ~/.ssh/id_rsa
        
    - name: Test production connectivity
      run: |
        ansible all -i inventories/production/hosts.yml -m ping
        
    - name: Deploy to production
      run: |
        ansible-playbook playbooks/site.yml \
          -i inventories/production/hosts.yml \
          -e "minecraft_version=${{ secrets.MINECRAFT_VERSION }}" \
          -e "rcon_password=${{ secrets.RCON_PASSWORD }}"

  backup-check:
    name: Backup System Check
    runs-on: ubuntu-latest
    needs: [deploy-staging]
    if: github.ref == 'refs/heads/develop'
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
        
    - name: Install Ansible
      run: |
        pip install ansible
        
    - name: Setup SSH key
      run: |
        mkdir -p ~/.ssh
        echo "${{ secrets.ANSIBLE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
        chmod 600 ~/.ssh/id_rsa
        
    - name: Test backup scripts
      run: |
        ansible minecraft_servers -i inventories/staging/hosts.yml \
          -m shell \
          -a "test -x /opt/minecraft/tools/backup-daily.sh"
        
        ansible minecraft_servers -i inventories/staging/hosts.yml \
          -m shell \
          -a "test -x /opt/minecraft/tools/restore-backup.sh"