name: Continuous Integration

on:
  push:
  schedule:
    - cron: "0 0 * * TUE"

concurrency: ${{ github.workflow }}-${{ github.ref }}

env:
  platforms: "linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7"

jobs:
  ci:
    name: Continuous Integration
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    timeout-minutes: 10
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Load necessary kernel modules
        run: sudo modprobe ip6_tables

      - name: Install WireGuard
        run: sudo apt-get install wireguard

      - name: Create WireGuard config
        run: echo '${{ secrets.WIREGUARD_CONF }}' > wireguard.conf

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build local Docker image for testing
        uses: docker/build-push-action@v5
        with:
          pull: true
          load: true
          tags: wireguard

      - name: Copy Docker image to Podman
        run: |
          sudo podman pull docker-daemon:docker.io/library/wireguard:latest
          sudo podman save -o ${{ runner.temp }}/wireguard.tar docker.io/library/wireguard:latest
          podman load -i ${{ runner.temp }}/wireguard.tar

      - name: Test tunnel
        run: |
          for cmd in "docker" "podman" "sudo podman"; do
            $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard
            normal_ip=$($cmd run --rm curlimages/curl --retry 3 --retry-delay 5 ifconfig.io)
            wireguard_ip=$($cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io)
            if [ "$normal_ip" = "$wireguard_ip" ]; then echo "normal ip and wireguard ip are the same" && exit 1; fi
            $cmd stop wireguard
          done

      - name: Test kill switch
        run: |
          for cmd in "docker" "podman" "sudo podman"; do
            $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard
            $cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io
            $cmd exec wireguard wg-quick down wg0
            ! $cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io
            $cmd stop wireguard
          done

      - name: Test local subnets
        run: |
          for cmd in "docker" "podman" "sudo podman"; do
            ip_address=$(ip route get 1.2.3.4 | awk '{print $7}')
            $cmd run --rm -d --name nginx -p 8080:80 nginx
            $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -e LOCAL_SUBNETS=$ip_address/32 wireguard
            sleep 3
            $cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 $ip_address:8080
            $cmd stop wireguard nginx
          done

      - name: Test exposed ports
        run: |
          for cmd in "docker" "podman" "sudo podman"; do
            $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -p 8080:80 wireguard
            $cmd run --rm -d --name nginx --net=container:wireguard nginx
            sleep 3
            curl --retry 3 --retry-delay 5 localhost:8080
            $cmd stop wireguard nginx
          done

      - name: Log into Docker Hub
        uses: docker/login-action@v3
        with:
          username: jordanpotter
          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}

      - name: Log into GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Get date
        id: date
        uses: josStorer/get-current-time@v2
        with:
          format: YYYY-MM-DD

      - name: Get metadata for image
        id: metadata
        uses: docker/metadata-action@v5
        with:
          images: |
            jordanpotter/wireguard
            ghcr.io/${{ github.repository }}
          tags: |
            type=raw,value=${{ steps.date.outputs.formattedTime }},enable=${{ github.event_name == 'schedule' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

      - name: Build images
        if: ${{ github.ref != 'refs/heads/main' }}
        uses: docker/build-push-action@v5
        with:
          pull: true
          push: false
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          platforms: ${{ env.platforms }}

      - name: Build and push images
        if: ${{ github.ref == 'refs/heads/main' }}
        uses: docker/build-push-action@v5
        with:
          pull: true
          push: true
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          platforms: ${{ env.platforms }}

      - name: Update Docker Hub description
        if: ${{ github.ref == 'refs/heads/main' }}
        uses: peter-evans/dockerhub-description@v3
        with:
          repository: jordanpotter/wireguard
          username: jordanpotter
          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
          short-description: ${{ github.event.repository.description }}