name: build-and-publish

on:
  push:
    branches: [master]
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout source
        uses: actions/checkout@v4

      - name: Install build dependencies
        run: |
          set -euo pipefail
          sudo apt-get update -y
          sudo apt-get install -y --no-install-recommends \
            git curl wget ca-certificates dpkg-dev fakeroot \
            build-essential gnupg dpkg-sig

      - name: Compile nginx and modules
        run: |
          set -euo pipefail
          sudo touch /.dockerenv
          sudo bash build/run.sh new
          sudo bash build/run.sh build
          sudo bash build/run.sh postfix

      - name: Assemble .deb package
        id: pkg
        run: |
          set -euo pipefail
          PKG_NAME="twiy"
          VERSION="$(nginx -v 2>&1 | awk -F'/' '{print $2}')"
          ARCH="amd64"
          PKG_DIR="/opt/${PKG_NAME}_${VERSION}_${ARCH}"
          DEB_DIR="${PKG_DIR}/DEBIAN"

          sudo mkdir -p "${PKG_DIR}/usr/sbin" "${PKG_DIR}/nginx" \
                        "${PKG_DIR}/etc/systemd/system" "${PKG_DIR}/var/log/nginx" \
                        "${PKG_DIR}/usr/lib" "${PKG_DIR}/usr/local/lib" \
                        "${PKG_DIR}/hostdata/default/public_html" \
                        "${PKG_DIR}/usr/nginx_lua"

          sudo cp /usr/sbin/nginx "${PKG_DIR}/usr/sbin/"
          sudo cp -R /nginx/* "${PKG_DIR}/nginx/" || true
          sudo cp /etc/systemd/system/nginx.service "${PKG_DIR}/etc/systemd/system/"
          sudo cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
          sudo cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true

          for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
            sudo cp "$lib" "${PKG_DIR}/usr/lib/" || true
          done

          sudo mkdir -p "${DEB_DIR}"
          sudo tee "${DEB_DIR}/control" >/dev/null <<EOF
          Package: ${PKG_NAME}
          Version: ${VERSION}
          Section: base
          Priority: optional
          Architecture: ${ARCH}
          Maintainer: Julio <me@julio.al>
          Description: Nginx L7 DDoS Protection (The-World-Is-Yours), built by RAWeb CI.
          EOF

          sudo tee "${DEB_DIR}/postinst" >/dev/null <<'EOF'
          #!/bin/bash
          useradd -r -d /usr/local/nginx -s /bin/false nginx || true
          systemctl daemon-reload || true
          EOF
          sudo chmod 755 "${DEB_DIR}/postinst"

          sudo dpkg-deb --build "${PKG_DIR}"
          DEB_FILE="${PKG_DIR}.deb"
          sudo chown "$(id -u):$(id -g)" "${DEB_FILE}"

          {
            echo "deb_file=${DEB_FILE}"
            echo "version=${VERSION}"
            echo "pkg_name=${PKG_NAME}"
          } >> "$GITHUB_OUTPUT"

          ls -la "${DEB_FILE}"
          sha256sum "${DEB_FILE}"

      - name: Publish to Nexus
        env:
          NEXUS_USER: ${{ secrets.NEXUS_USER }}
          NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
          NEXUS_URL:  ${{ secrets.NEXUS_URL }}
          NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
          DEB_FILE:   ${{ steps.pkg.outputs.deb_file }}
          PKG_NAME:   ${{ steps.pkg.outputs.pkg_name }}
        run: |
          set -euo pipefail
          umask 077

          # All secret material lives in tmpfs (RAM); shredded on exit either way.
          SECDIR="$(mktemp -d -p /dev/shm raweb-XXXXXXXX 2>/dev/null \
                    || mktemp -d -t raweb-XXXXXXXX)"
          chmod 700 "$SECDIR"
          trap 'find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true; rm -rf "$SECDIR"' EXIT

          # Auth via netrc file — never via -u user:pass on the command line,
          # which would be visible to anything that can read /proc.
          printf 'machine apt.julio.al login %s password %s\n' \
                 "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
          unset NEXUS_USER NEXUS_PASS

          # Replace prior component of the same name, if any (best-effort).
          OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
                    "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
                    | PKG_NAME="$PKG_NAME" python3 -c '
          import sys, json, os
          for c in json.load(sys.stdin).get("items", []):
              if c.get("name") == os.environ["PKG_NAME"]:
                  print(c["id"]); break
          ' || true)"
          if [ -n "$OLD_ID" ]; then
            curl -fsS -X DELETE --netrc-file "$SECDIR/netrc" \
                 "$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
          fi

          HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
                  -o "$SECDIR/upload.body" -w '%{http_code}' \
                  -X POST -F "apt.asset=@$DEB_FILE" \
                  "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO")"
          case "$HTTP" in
            201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
            *) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
          esac

          # Note: per-.deb signing intentionally not performed here. apt's trust
          # chain is Release.gpg → Packages SHA256 → .deb SHA256, and Nexus signs
          # the Release file on every upload using the key bound at repo creation.
          # The private key never leaves the Nexus host.