# syntax=docker/dockerfile:1.7

FROM node:22-bookworm-slim AS deps
WORKDIR /app
# bookworm-slim: track the distro's current security-patched versions, don't pin.
# hadolint ignore=DL3008
RUN apt-get update \
 && apt-get install -y --no-install-recommends python3 make g++ ca-certificates \
 && rm -rf /var/lib/apt/lists/*
COPY app/package.json app/package-lock.json ./
# Lockfile (lockfileVersion 3) is committed; npm ci is reproducible and
# fails if it drifts from package.json. No npm install fallback.
RUN npm ci --include=dev

FROM deps AS build
WORKDIR /app
COPY app/ ./
RUN rm -f data.db data.db-shm data.db-wal && rm -rf uploads
# `astro` is a runtime dependency (required by the @astrojs/node standalone
# SSR server), so the prune only drops the two devDependencies
# (@astrojs/check, @types/node). Astro's transitive build tooling
# (vite, esbuild, @astrojs/compiler, rollup plugins) stays in node_modules
# because Astro itself declares them as runtime deps. Slimming those out
# would require verifying the dist/server bundle never imports `astro/*` at
# boot; not attempted here. Image-size tradeoff is accepted for now.
# (build + prune in one layer; separate RUNs would trip hadolint DL3059.)
RUN npm run build \
 && npm prune --omit=dev

FROM node:22-bookworm-slim AS runtime
WORKDIR /app
ENV NODE_ENV=production \
    HOST=0.0.0.0 \
    PORT=4321
# bookworm-slim: track the distro's current security-patched versions, don't pin.
# hadolint ignore=DL3008
RUN apt-get update \
 && apt-get install -y --no-install-recommends ca-certificates tini \
 && rm -rf /var/lib/apt/lists/* \
 && groupadd --system --gid 1001 emdash \
 && useradd --system --uid 1001 --gid 1001 --home /app emdash \
 && mkdir -p /app/state/uploads \
 && chown -R emdash:emdash /app

COPY --from=build --chown=emdash:emdash /app/package.json ./
COPY --from=build --chown=emdash:emdash /app/node_modules ./node_modules
COPY --from=build --chown=emdash:emdash /app/dist ./dist
COPY --from=build --chown=emdash:emdash /app/seed ./seed

# Persistent state lives in /app/state (single PVC in k3s).
# STATE_DIR is intentionally NOT set here: the Helm chart injects
# STATE_DIR=/app/state (deploy/helm values.yaml), so the running app writes
# directly to /app/state/data.db and /app/state/uploads and these symlinks
# are never traversed. Leaving it unset keeps the image deploy-agnostic so a
# bare `docker run` / DDEV smoke test falls back to the WORKDIR (./data.db).
# The symlinks below only backstop that STATE_DIR-unset fallback
# (astro.config.mjs: `process.env.STATE_DIR ?? "."`), redirecting the default
# emdash paths into the volume — they do not contradict the STATE_DIR contract.
RUN ln -s /app/state/data.db /app/data.db \
 && ln -s /app/state/uploads /app/uploads

COPY --chown=emdash:emdash docker/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

USER emdash
EXPOSE 4321
VOLUME ["/app/state"]
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/entrypoint.sh"]
CMD ["node", "./dist/server/entry.mjs"]