qy-html-project/.gitea/workflows/deploy.yaml

name: Deploy Static Sites

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} https://gitea.airlabs.art/${{ github.repository }}.git .

      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          printf '%s\n' '${{ secrets.INTERNAL_SERVER_SSH_KEY }}' > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh-keyscan -H 118.196.70.19 >> ~/.ssh/known_hosts 2>/dev/null

      - name: Sync files to server
        run: |
          ssh root@118.196.70.19 "rm -rf /data/static-sites/* && mkdir -p /data/static-sites"

          for dir in */; do
            case "$dir" in
              .gitea/|.git/|k8s/) continue ;;
            esac
            echo "上传 $dir ..."
            scp -r "$dir" root@118.196.70.19:/data/static-sites/
          done

          echo "✓ 文件同步完成"

      - name: Apply nginx ConfigMap and restart deployment
        run: |
          scp k8s/nginx-conf.yaml root@118.196.70.19:/tmp/static-sites-nginx-conf.yaml
          ssh root@118.196.70.19 "
            kubectl apply -f /tmp/static-sites-nginx-conf.yaml
            kubectl rollout restart deployment/static-sites
            kubectl rollout status deployment/static-sites --timeout=60s
          "
          echo "✓ nginx 配置已更新"

      - name: Auto generate and apply Ingress
        run: |
          # 自动子域名模式的项目（裸域 airlabs-art 由下面特判）
          PROJECTS=""
          for dir in */; do
            case "$dir" in
              .gitea/|.git/|k8s/|airlabs-art/) continue ;;
            esac
            PROJECTS="$PROJECTS ${dir%/}"
          done

          # 头部
          printf 'apiVersion: networking.k8s.io/v1\n' > /tmp/ingress.yaml
          printf 'kind: Ingress\n' >> /tmp/ingress.yaml
          printf 'metadata:\n' >> /tmp/ingress.yaml
          printf '  name: static-sites-ingress\n' >> /tmp/ingress.yaml
          printf '  annotations:\n' >> /tmp/ingress.yaml
          printf '    kubernetes.io/ingress.class: "traefik"\n' >> /tmp/ingress.yaml
          printf '    cert-manager.io/cluster-issuer: "letsencrypt-prod"\n' >> /tmp/ingress.yaml
          printf 'spec:\n' >> /tmp/ingress.yaml
          printf '  tls:\n' >> /tmp/ingress.yaml

          for name in $PROJECTS; do
            printf '  - hosts:\n' >> /tmp/ingress.yaml
            printf '    - %s.airlabs.art\n' "$name" >> /tmp/ingress.yaml
            printf '    secretName: %s-tls\n' "$name" >> /tmp/ingress.yaml
          done

          # 裸域 + www 的 TLS（cert-manager 自动签 letsencrypt）
          if [ -d airlabs-art ]; then
            printf '  - hosts:\n' >> /tmp/ingress.yaml
            printf '    - airlabs.art\n' >> /tmp/ingress.yaml
            printf '    - www.airlabs.art\n' >> /tmp/ingress.yaml
            printf '    secretName: airlabs-root-tls\n' >> /tmp/ingress.yaml
          fi

          printf '  rules:\n' >> /tmp/ingress.yaml
          for name in $PROJECTS; do
            printf '  - host: %s.airlabs.art\n' "$name" >> /tmp/ingress.yaml
            printf '    http:\n' >> /tmp/ingress.yaml
            printf '      paths:\n' >> /tmp/ingress.yaml
            printf '      - path: /\n' >> /tmp/ingress.yaml
            printf '        pathType: Prefix\n' >> /tmp/ingress.yaml
            printf '        backend:\n' >> /tmp/ingress.yaml
            printf '          service:\n' >> /tmp/ingress.yaml
            printf '            name: static-sites\n' >> /tmp/ingress.yaml
            printf '            port:\n' >> /tmp/ingress.yaml
            printf '              number: 80\n' >> /tmp/ingress.yaml
          done

          # 裸域 + www 规则（HTTPS 由 Traefik 全局 redirect 强制、证书由 cert-manager 自动签）
          if [ -d airlabs-art ]; then
            for host in airlabs.art www.airlabs.art; do
              printf '  - host: %s\n' "$host" >> /tmp/ingress.yaml
              printf '    http:\n' >> /tmp/ingress.yaml
              printf '      paths:\n' >> /tmp/ingress.yaml
              printf '      - path: /\n' >> /tmp/ingress.yaml
              printf '        pathType: Prefix\n' >> /tmp/ingress.yaml
              printf '        backend:\n' >> /tmp/ingress.yaml
              printf '          service:\n' >> /tmp/ingress.yaml
              printf '            name: static-sites\n' >> /tmp/ingress.yaml
              printf '            port:\n' >> /tmp/ingress.yaml
              printf '              number: 80\n' >> /tmp/ingress.yaml
            done
          fi

          echo "--- 生成的 Ingress ---"
          cat /tmp/ingress.yaml

          scp /tmp/ingress.yaml root@118.196.70.19:/tmp/ingress.yaml
          ssh root@118.196.70.19 "kubectl apply -f /tmp/ingress.yaml"
          echo "✓ Ingress 已自动更新"

      - name: Verify
        run: |
          ssh root@118.196.70.19 "
            echo '=== 站点文件 ==='
            ls -la /data/static-sites/
            echo ''
            echo '=== Ingress ==='
            kubectl get ingress static-sites-ingress
            echo ''
            echo '=== 证书 ==='
            kubectl get certificate
          "