default:
  # Guide the choice of an appropriate runner for all these jobs.
  # https://docs.gitlab.com/ee/ci/runners/#runner-runs-only-tagged-jobs
  tags:
    - "nixos"
    - "shell"

docs:
  stage: "build"
  script:
    - "nix-build docs.nix"
    - "cp --recursive --no-preserve=mode result/docs/. docs/build/"
  artifacts:
    paths:
      - "docs/build/"
    expose_as: "documentation"

unit-tests:
  stage: "test"
  script:
    - "nix-shell --run 'nix-build nixos/unit-tests.nix' && cat result"

.morph-build: &MORPH_BUILD
  stage: "test"
  timeout: "3 hours"

  script:
    - |
      # GRID is set in one of the "instantiations" of this job template.
      nix-shell --run "morph build --show-trace morph/grid/${GRID}/grid.nix"


morph-build-localdev:
  <<: *MORPH_BUILD
  variables:
    GRID: "local"

  before_script:
    - |
      # The local grid configuration is *almost* complete enough to build.  It
      # just needs this tweak.
      sed -i 's/undefined/\"unundefined\"/' morph/grid/${GRID}/public-keys/users.nix

morph-build-testing:
  <<: *MORPH_BUILD
  variables:
    GRID: "testing"


morph-build-production:
  <<: *MORPH_BUILD
  variables:
    GRID: "production"


vulnerability-scan:
  stage: "test"
  script:
    - "ci-tools/vulnerability-scan security-report.json"
    - "ci-tools/count-vulnerabilities <security-report.json"
  artifacts:
    paths:
      - "security-report.json"
    expose_as: "security report"


system-tests:
  stage: "test"
  timeout: "3 hours"
  script:
    - "nix-shell --run 'nix-build nixos/system-tests.nix'"

# A template for a job that can update one of the grids.
.update-grid: &UPDATE_GRID
  stage: "deploy"
  script:
    # Announce our intentions.
    - |
      echo "Hello $GITLAB_USER_LOGIN from $CI_JOB_NAME. I was triggered by $CI_PIPELINE_SOURCE"
      echo "and I am deploying the $CI_COMMIT_BRANCH branch to the $CI_ENVIRONMENT_NAME environment."

    # Copy the deploy key from the environment to a file so we can actually
    # tell ssh to use it.
    - |
      # The environment variable is configured with GitLab using Terraform so
      # we can retain some bare minimum level of confidentiality.
      KEY_PATH="$(mktemp -d)/deploy_key"
      base64 --decode "${PRIVATESTORAGEIO_STAGING_SSH_DEPLOY_KEY}" > "${KEY_PATH}"

    # Update the deployment
    - |
      ./ci-tools/update-grid-servers "${KEY_PATH}" "${CI_ENVIRONMENT_NAME}"

    # Remove the key from the filesystem to reduce the chance of unintentional
    # disclosure.  Overall our handling of this key is still not *particulary*
    # safe or secure but that's why the key is only authorized to perform a
    # single very specific operation.
    - |
      rm -v "${KEY_PATH}"

# Update the staging deployment - only on a merge to the staging branch.
update-staging:
  <<: *UPDATE_GRID
  only:
    - "staging"
  environment:
    name: "staging"
    url: "https://privatestorage-staging.com/"

# Update the production deployment - only on a merge to the production branch.
deploy-to-production:
  <<: *UPDATE_GRID
  only:
    - "production"
  environment:
    name: "production"
    url: "https://privatestorage.io/"