#cloud-config

package_update: true
package_upgrade: true

packages:
  - docker.io
  - docker-compose-v2
  - git
  - curl
  - sqlite3

users:
  - name: deploy
    groups: docker, sudo
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - ${ssh_public_key}

write_files:
  - path: /opt/writekit/.env
    permissions: '0600'
    content: |
      ${indent(6, env_file)}

  - path: /opt/writekit/docker-compose.yml
    permissions: '0644'
    content: |
      ${indent(6, docker_compose)}

  - path: /etc/docker/daemon.json
    permissions: '0644'
    content: |
      {
        "insecure-registries": ["10.0.0.3:5000"],
        "log-driver": "json-file",
        "log-opts": {
          "max-size": "10m",
          "max-file": "3"
        }
      }

  - path: /opt/writekit/.ssh/deploy_key
    permissions: '0600'
    content: |
      ${indent(6, deploy_ssh_private_key)}

  - path: /opt/writekit/setup-forgejo-oauth.sh
    permissions: '0755'
    content: |
      #!/bin/bash
      set -a
      . /opt/writekit/.env
      set +a

      DB="/var/lib/docker/volumes/writekit_forgejo-data/_data/gitea/gitea.db"

      for i in {1..60}; do
        [ -f "$$DB" ] && break
        sleep 5
      done

      sleep 10

      sqlite3 "$$DB" <<EOF
      INSERT OR IGNORE INTO login_source (type, name, is_active, is_sync_enabled, cfg, created_unix, updated_unix)
      VALUES (6, 'GitHub', 1, 0, '{"Provider":"github","ClientID":"$$GITHUB_CLIENT_ID","ClientSecret":"$$GITHUB_CLIENT_SECRET","OpenIDConnectAutoDiscoveryURL":"","CustomURLMapping":null,"IconURL":"","Scopes":["read:user","user:email"],"RequiredClaimName":"","RequiredClaimValue":"","GroupClaimName":"","AdminGroup":"","RestrictedGroup":"","GroupTeamMap":"","GroupTeamMapRemoval":false}', strftime('%s','now'), strftime('%s','now'));

      INSERT OR IGNORE INTO oauth2_application (uid, name, client_id, client_secret, confidential_client, redirect_uris, created_unix, updated_unix)
      VALUES (0, 'Woodpecker CI', '$$WOODPECKER_FORGEJO_CLIENT', '$$WOODPECKER_FORGEJO_SECRET', 1, 'https://ci.$$DOMAIN/authorize', strftime('%s','now'), strftime('%s','now'));
      EOF

  - path: /opt/writekit/promote-admin.sh
    permissions: '0755'
    content: |
      #!/bin/bash
      set -a
      . /opt/writekit/.env
      set +a
      cd /opt/writekit
      docker compose exec -T forgejo gitea admin user change-password --username "$$WOODPECKER_ADMIN" --password "temppass123" 2>/dev/null || true
      docker compose exec -T forgejo gitea admin user create --username "$$WOODPECKER_ADMIN" --email "$${WOODPECKER_ADMIN}@localhost" --password "temppass123" --admin 2>/dev/null || \
      docker compose exec -T forgejo gitea admin user change-password --username "$$WOODPECKER_ADMIN" --must-change-password=false 2>/dev/null
      sqlite3 "/var/lib/docker/volumes/writekit_forgejo-data/_data/gitea/gitea.db" "UPDATE user SET is_admin=1 WHERE lower_name='$$(echo $$WOODPECKER_ADMIN | tr '[:upper:]' '[:lower:]')';"
      echo "User $$WOODPECKER_ADMIN promoted to admin"

runcmd:
  - systemctl enable docker
  - systemctl start docker
  - mkdir -p /opt/writekit/.ssh
  - chown -R deploy:deploy /opt/writekit

  - |
    set -a
    . /opt/writekit/.env
    set +a
    cd /opt/writekit && docker compose up -d

  - /opt/writekit/setup-forgejo-oauth.sh

  - |
    for i in {1..30}; do
      ssh-keyscan -H 10.0.0.2 >> /opt/writekit/.ssh/known_hosts 2>/dev/null && break
      sleep 10
    done
    chown deploy:deploy /opt/writekit/.ssh/known_hosts

final_message: "WriteKit ops server ready after $$UPTIME seconds"