# UNT (NOVA) Pipeline
#
# Two stages:
#   build-* → runs on dev-side agent (label: location=local) to avoid server OOM
#            pushes to the registry over WireGuard (10.8.0.1:5000 — plain HTTP,
#            trusted because of the WG perimeter)
#   deploy  → runs on server-side agent (label: location=server)
#            pulls via the public HTTPS path (same registry, different edge)
#            and runs docker compose on the host daemon
#
# Trigger: manual only. See ppl/def/ci-cd/local-agent-rollout.md.

when:
  - event: manual

steps:
  - name: build-api
    image: plugins/docker
    labels:
      location: local
    settings:
      repo: 10.8.0.1:5000/unt/api
      registry: 10.8.0.1:5000
      insecure: true
      tags:
        - latest
        - ${CI_COMMIT_SHA:0:7}
      dockerfile: ctrl/Dockerfile.api
      context: .

  - name: build-ui
    image: plugins/docker
    labels:
      location: local
    settings:
      repo: 10.8.0.1:5000/unt/ui
      registry: 10.8.0.1:5000
      insecure: true
      tags:
        - latest
        - ${CI_COMMIT_SHA:0:7}
      dockerfile: ctrl/Dockerfile.ui
      context: .

  - name: deploy
    image: docker:24-cli
    labels:
      location: server
    depends_on:
      - build-api
      - build-ui
    commands:
      - cd /edge
      - docker compose pull
      - docker compose up -d --remove-orphans
      - docker image prune -f
      - docker compose ps
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      # read-only so the deploy step structurally cannot stomp on .env
      - /home/mariano/unt/ctrl/edge:/edge:ro