Deploying to k3s (Hetzner)
==========================

Prereqs
- `kubectl` installed locally.
- Access to the cluster kubeconfig.
- Secrets loaded (dotenv via `scripts/load-secrets.sh`).

Kubeconfig
- By default `deploy/deploy.sh` will use `$KUBECONFIG`. If that is unset and `creds/kubeconfig.yaml` exists, it will export `KUBECONFIG=$PWD/creds/kubeconfig.yaml`.
- Recommended flow for new devs:
  1) Obtain the kubeconfig from the cluster admin.
  2) Save it as `creds/kubeconfig.yaml` (ignored by git), or set `KUBECONFIG` to your own path. The repo also includes `creds/kubeconfig.enc.yaml` (sops/age-encrypted) and a plaintext copy can be produced with the age key.
  3) Verify access: `kubectl get ns` (you should see `lomavuokraus-test/staging/prod`).
- If you want to keep the kubeconfig in-repo but encrypted, store it as `creds/kubeconfig.enc.yaml` with sops/age and decrypt to `creds/kubeconfig.yaml` before deploying:
  - Decrypt: `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -d creds/kubeconfig.enc.yaml > creds/kubeconfig.yaml`
  - Encrypt (admin only): `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -e kubeconfig.yaml > creds/kubeconfig.enc.yaml`

Deploy commands
- Test: `./deploy/deploy-test.sh`
- Staging (default): `./deploy/deploy-staging.sh` or `TARGET=staging ./deploy/deploy.sh`
- Prod: `./deploy/deploy-prod.sh`

Notes
- Ensure `deploy/.last-image` exists (run `deploy/build.sh` first).
- `AUTH_SECRET`/`DATABASE_URL` should be in your env or loaded via `scripts/load-secrets.sh`.
- `deploy/deploy.sh` runs `prisma migrate deploy` automatically when `DATABASE_URL` is set; if it isn't, it will try to read `DATABASE_URL` from the in-cluster `lomavuokraus-web-secrets` in the target namespace (recommended for test/staging/prod).