package generator

import (
	"fmt"
	"sort"
	"strings"

	"kforge/internal/config"
)

// GiteaActionsOptions controls what the generated workflow does.
type GiteaActionsOptions struct {
	// Branch that triggers the workflow. Default: main.
	Branch string
	// NodeVersion for setup-node. Default: 22.
	NodeVersion string
	// Environments to deploy, in order. Default: all environments
	// sorted alphabetically (staging before production).
	Environments []string
}

// GenerateGiteaActions produces a Gitea Actions workflow YAML
// that builds the Docker image and deploys to each environment
// using kforge generate + kubectl apply.
//
// The generated file is designed to replace your existing
// hand-written workflow. It assumes kforge is available in the
// PATH (either pre-installed on the runner or fetched as a step).
func GenerateGiteaActions(cfg *config.KforgeConfig, opts GiteaActionsOptions) (string, error) {
	if opts.Branch == "" {
		opts.Branch = "main"
	}
	if opts.NodeVersion == "" {
		opts.NodeVersion = "22"
	}
	if len(opts.Environments) == 0 {
		opts.Environments = sortedEnvKeys(cfg)
	}

	var b strings.Builder

	writeGiteaHeader(&b, cfg, opts)
	writeGiteaJobs(&b, cfg, opts)

	return b.String(), nil
}

func writeGiteaHeader(b *strings.Builder, cfg *config.KforgeConfig, opts GiteaActionsOptions) {
	fmt.Fprintf(b, "# Generated by kforge — do not edit manually.\n")
	fmt.Fprintf(b, "# Re-generate: kforge gitea-actions > .gitea/workflows/deploy.yml\n")
	fmt.Fprintf(b, "#\n")
	fmt.Fprintf(b, "# Required Gitea org secrets:\n")
	fmt.Fprintf(b, "#   DOCKER_USERNAME, DOCKER_PASSWORD, KFORGE_NODE_IP\n")
	fmt.Fprintf(b, "#   CLOUDFLARE_API_TOKEN, CF_ZONE_ID_* (per zone)\n")
	fmt.Fprintf(b, "#   SOPS_AGE_KEY\n")
	fmt.Fprintf(b, "# Required Gitea repo secrets:\n")
	fmt.Fprintf(b, "#   KUBE_HOST, KUBE_TOKEN, KUBE_CERTIFICATE\n")
	fmt.Fprintf(b, "\n")
	fmt.Fprintf(b, "name: Build and Deploy\n")
	fmt.Fprintf(b, "\n")
	fmt.Fprintf(b, "on:\n")
	fmt.Fprintf(b, "  push:\n")
	fmt.Fprintf(b, "    branches:\n")
	fmt.Fprintf(b, "      - %s\n", opts.Branch)
	fmt.Fprintf(b, "\n")
}

func writeGiteaJobs(b *strings.Builder, cfg *config.KforgeConfig, opts GiteaActionsOptions) {
	fmt.Fprintf(b, "jobs:\n")
	fmt.Fprintf(b, "  build-and-deploy:\n")
	fmt.Fprintf(b, "    runs-on: ubuntu-latest\n")
	fmt.Fprintf(b, "    steps:\n")

	// Checkout
	writeStep(b, "Checkout", map[string]any{
		"uses": "actions/checkout@v4",
		"with": map[string]any{"fetch-depth": 0},
	})

	// Node (optional — only if package.json exists)
	writeStep(b, "Setup Node", map[string]any{
		"uses": "actions/setup-node@v4",
		"with": map[string]any{"node-version": opts.NodeVersion},
	})

	// Short SHA
	writeStep(b, "Create short commit hash", map[string]any{
		"run": `echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV`,
	})

	// Docker login
	writeStep(b, "Login to registry", map[string]any{
		"uses": "docker/login-action@v2",
		"with": map[string]any{
			"registry": cfg.Registry.URL,
			"username": "${{ secrets.DOCKER_USERNAME }}",
			"password": "${{ secrets.DOCKER_PASSWORD }}",
		},
	})

	// Docker build + push
	fullRepo := cfg.Registry.URL + "/" + cfg.Meta.Tenant + "/" + cfg.Meta.Name
	writeStep(b, "Build and push image", map[string]any{
		"uses": "docker/build-push-action@v5",
		"with": map[string]any{
			"context":    ".",
			"platforms":  "linux/amd64",
			"file":       cfg.Defaults.Dockerfile,
			"push":       true,
			"tags":       fmt.Sprintf("%s:latest\n%s:${{ env.SHORT_SHA }}", fullRepo, fullRepo),
			"provenance": false,
			"sbom":       false,
		},
	})

	// Install kforge on runner
	writeStep(b, "Install kforge", map[string]any{
		"run": "KFORGE_VERSION=\"latest\"\ncurl -fsSL \"https://kforge/releases/download/${KFORGE_VERSION}/kforge-linux-amd64\" -o /usr/local/bin/kforge\nchmod +x /usr/local/bin/kforge",
	})

	// Per-environment deploy steps
	for _, envKey := range opts.Environments {
		env, err := config.ResolveEnvironment(cfg, envKey)
		if err != nil {
			continue
		}
		writeEnvDeploySteps(b, cfg, &env, envKey)
	}
}

func writeEnvDeploySteps(b *strings.Builder, cfg *config.KforgeConfig, env *config.ResolvedEnvironment, envKey string) {
	label := strings.Title(envKey) //nolint:staticcheck // simple capitalisation

	// Validate kforge config before doing anything destructive.
	writeStep(b, fmt.Sprintf("Validate kforge config (%s)", label), map[string]any{
		"run": "kforge validate",
		"env": giteaSecretEnv(),
	})

	// Apply cluster secrets (only creates if missing — idempotent).
	writeStep(b, fmt.Sprintf("Apply cluster secrets (%s)", label), map[string]any{
		"run": fmt.Sprintf("kforge secrets apply --env %s", envKey),
		"env": giteaKubeEnv(),
	})

	// DNS records
	hasDNSHosts := false
	for _, h := range env.Ingress.Hosts {
		if h.DNSRecord {
			hasDNSHosts = true
			break
		}
	}
	if hasDNSHosts && !cfg.DNS.SkipDNS {
		writeStep(b, fmt.Sprintf("Ensure DNS records (%s)", label), map[string]any{
			"run": fmt.Sprintf("kforge dns ensure --env %s", envKey),
			"env": mergeMaps(giteaSecretEnv(), giteaKubeEnv()),
		})
	}

	// Generate manifests
	writeStep(b, fmt.Sprintf("Generate manifests (%s)", label), map[string]any{
		"run": fmt.Sprintf(
			"kforge generate --env %s --output .kforge-out --set image_tag=${{ env.SHORT_SHA }}",
			envKey,
		),
		"env": giteaSecretEnv(),
	})

	// kubectl apply
	writeStep(b, fmt.Sprintf("Apply manifests (%s)", label), map[string]any{
		"uses": "actions-hub/kubectl@master",
		"env":  giteaKubeEnv(),
		"with": map[string]any{
			"args": fmt.Sprintf(
				"apply -f .kforge-out/%s-core.yaml -n %s --insecure-skip-tls-verify",
				envKey, env.Namespace,
			),
		},
	})

	// Apply infra manifests if any infrastructure is enabled
	infra := env.Infrastructure
	if infra.Database != nil || infra.Cache != nil || infra.Storage != nil ||
		infra.Queue != nil || infra.Search != nil || infra.Monitoring != nil {
		writeStep(b, fmt.Sprintf("Apply infra manifests (%s)", label), map[string]any{
			"uses": "actions-hub/kubectl@master",
			"env":  giteaKubeEnv(),
			"with": map[string]any{
				"args": fmt.Sprintf(
					`apply -f .kforge-out/ -l app=%s -n %s --insecure-skip-tls-verify`,
					env.FullName, env.Namespace,
				),
			},
		})
	}

	// Rollout restart
	writeStep(b, fmt.Sprintf("Rollout restart (%s)", label), map[string]any{
		"uses": "actions-hub/kubectl@master",
		"env":  giteaKubeEnv(),
		"with": map[string]any{
			"args": fmt.Sprintf(
				"rollout restart deployment/%s -n %s --insecure-skip-tls-verify",
				env.FullName, env.Namespace,
			),
		},
	})
}

// writeStep writes a single step in the jobs.steps list.
func writeStep(b *strings.Builder, name string, fields map[string]any) {
	fmt.Fprintf(b, "\n      - name: %s\n", name)
	// Emit fields in a stable order.
	order := []string{"uses", "run", "with", "env"}
	for _, k := range order {
		v, ok := fields[k]
		if !ok {
			continue
		}
		switch val := v.(type) {
		case string:
			if strings.Contains(val, "\n") {
				fmt.Fprintf(b, "        %s: |\n", k)
				for _, line := range strings.Split(val, "\n") {
					fmt.Fprintf(b, "          %s\n", line)
				}
			} else {
				fmt.Fprintf(b, "        %s: %s\n", k, val)
			}
		case bool:
			fmt.Fprintf(b, "        %s: %v\n", k, val)
		case int:
			fmt.Fprintf(b, "        %s: %d\n", k, val)
		case map[string]any:
			fmt.Fprintf(b, "        %s:\n", k)
			writeMapFields(b, val, "          ")
		}
	}
}

func writeMapFields(b *strings.Builder, m map[string]any, indent string) {
	// Sort keys for stable output.
	keys := make([]string, 0, len(m))
	for k := range m {
		keys = append(keys, k)
	}
	sort.Strings(keys)

	for _, k := range keys {
		v := m[k]
		switch val := v.(type) {
		case string:
			if strings.Contains(val, "\n") {
				fmt.Fprintf(b, "%s%s: |\n", indent, k)
				for _, line := range strings.Split(val, "\n") {
					fmt.Fprintf(b, "%s  %s\n", indent, line)
				}
			} else {
				fmt.Fprintf(b, "%s%s: %s\n", indent, k, val)
			}
		case bool:
			fmt.Fprintf(b, "%s%s: %v\n", indent, k, val)
		case int:
			fmt.Fprintf(b, "%s%s: %d\n", indent, k, val)
		case map[string]any:
			fmt.Fprintf(b, "%s%s:\n", indent, k)
			writeMapFields(b, val, indent+"  ")
		}
	}
}

// giteaSecretEnv returns the env block referencing Gitea secrets
// needed for kforge itself (DNS, registry tokens, etc.).
func giteaSecretEnv() map[string]any {
	return map[string]any{
		"CLOUDFLARE_API_TOKEN": "${{ secrets.CLOUDFLARE_API_TOKEN }}",
		"KFORGE_NODE_IP":       "${{ secrets.KFORGE_NODE_IP }}",
		"SOPS_AGE_KEY":         "${{ secrets.SOPS_AGE_KEY }}",
	}
}

// giteaKubeEnv returns the env block for kubectl auth.
func giteaKubeEnv() map[string]any {
	return map[string]any{
		"KUBE_CERTIFICATE": "${{ secrets.KUBE_CERTIFICATE }}",
		"KUBE_HOST":        "${{ secrets.KUBE_HOST }}",
		"KUBE_TOKEN":       "${{ secrets.KUBE_TOKEN }}",
	}
}

func mergeMaps(maps ...map[string]any) map[string]any {
	result := map[string]any{}
	for _, m := range maps {
		for k, v := range m {
			result[k] = v
		}
	}
	return result
}

func sortedEnvKeys(cfg *config.KforgeConfig) []string {
	keys := config.EnvironmentKeys(cfg)
	// Put staging/dev before production — a simple heuristic that
	// matches the most common deploy order.
	priority := map[string]int{"dev": 0, "development": 0, "staging": 1, "production": 2, "prod": 2}
	sort.Slice(keys, func(i, j int) bool {
		pi, pj := priority[keys[i]], priority[keys[j]]
		if pi != pj {
			return pi < pj
		}
		return keys[i] < keys[j]
	})
	return keys
}