#!/usr/bin/env bash
set -euo pipefail

# Self-heal runner for Watchtower.
# Prefer SSH-based git auth (deploy key) instead of embedding tokens.

LOG_FILE="${LOG_FILE:-/home/chester/ansible-pull.log}"
WORKSPACE="${WORKSPACE:-/home/chester/.ansible_pull_workspace}"
REPO_URL="${REPO_URL:-git@git.castaldifamily.com:nathan/homelab.git}"
REPO_REF="${REPO_REF:-main}"
PLAYBOOK_PATH="${PLAYBOOK_PATH:-ansible/playbooks/self-heal/watchtower.yml}"
INVENTORY="${INVENTORY:-localhost,}"

mkdir -p "$(dirname "$LOG_FILE")" "$WORKSPACE"

echo "--- Starting Update: $(date -Is) ---" | tee -a "$LOG_FILE"

if [[ "$REPO_URL" == https://*"@"* ]]; then
    echo "WARNING: Credentialed HTTPS URL detected in REPO_URL. Use SSH deploy keys when possible." | tee -a "$LOG_FILE"
fi

ansible-pull \
    -U "$REPO_URL" \
    -C "$REPO_REF" \
    -d "$WORKSPACE" \
    -i "$INVENTORY" \
    "$PLAYBOOK_PATH" 2>&1 | tee -a "$LOG_FILE"

echo "--- Update Complete: $(date -Is) ---" | tee -a "$LOG_FILE"