ARG POSTHOG_HOST=https://app.posthog.com
ARG POSTHOG_API_KEY=posthog-api-key
ARG INTERCOM_ID=intercom-id
ARG CAPTCHA_SITE_KEY=captcha-site-key

FROM node:20.19.5-trixie-slim AS base

# Fixes NPM vulnerability: https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230
RUN npm install -g npm@10.9.0

FROM base AS frontend-dependencies

WORKDIR /app

COPY frontend/package.json frontend/package-lock.json  ./

# Install dependencies
RUN npm ci --only-production --ignore-scripts

# Rebuild the source code only when needed
FROM base AS frontend-builder
WORKDIR /app

# Copy dependencies
COPY --from=frontend-dependencies /app/node_modules ./node_modules
# Copy all files
COPY /frontend .

ENV NODE_ENV production
ARG POSTHOG_HOST
ENV VITE_POSTHOG_HOST $POSTHOG_HOST
ARG POSTHOG_API_KEY
ENV VITE_POSTHOG_API_KEY $POSTHOG_API_KEY
ARG INTERCOM_ID
ENV VITE_INTERCOM_ID $INTERCOM_ID
ARG INFISICAL_PLATFORM_VERSION
ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
ARG CAPTCHA_SITE_KEY
ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
ENV NODE_OPTIONS="--max-old-space-size=8192"

# Build
RUN npm run build

# Production image
FROM base AS frontend-runner
WORKDIR /app

RUN groupadd --system --gid 1001 nodejs
RUN useradd --system --uid 1001 --gid nodejs non-root-user

COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./

USER non-root-user

##
## BACKEND
##
FROM base AS backend-build

ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/

WORKDIR /app

# Install all required dependencies for build
RUN apt-get update && apt-get install -y \
    python3 \
    make \
    g++ \
    unixodbc \
    freetds-bin \
    unixodbc-dev \
    libc-dev \
    freetds-dev \
    && rm -rf /var/lib/apt/lists/*

RUN groupadd --system --gid 1001 nodejs
RUN useradd --system --uid 1001 --gid nodejs non-root-user

COPY backend/package*.json ./
RUN npm ci --only-production

COPY /backend .
COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
RUN npm i -D tsconfig-paths
ENV NODE_OPTIONS="--max-old-space-size=8192"
RUN npm run build

# Production stage
FROM base AS backend-runner

ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/

WORKDIR /app

# Install all required dependencies for runtime
RUN apt-get update && apt-get install -y \
    python3 \
    make \
    g++ \
    unixodbc \
    freetds-bin \
    unixodbc-dev \
    libc-dev \
    freetds-dev \
    && rm -rf /var/lib/apt/lists/*

# Configure ODBC
RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini

COPY backend/package*.json ./
RUN npm ci --only-production

COPY --from=backend-build /app .

RUN mkdir frontend-build

# Production stage
FROM base AS production

RUN apt-get update && apt-get install -y \
    build-essential \
    autoconf \
    automake \
    libtool \
    libssl-dev \
    ca-certificates \
    bash \
    curl \
    git \
    python3 \
    make \
    g++ \
    unixodbc \
    freetds-bin \
    unixodbc-dev \
    libc-dev \
    freetds-dev \
		wget \
    openssh-client \
    && rm -rf /var/lib/apt/lists/*

# Install Infisical CLI
RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
    && apt-get update && apt-get install -y infisical=0.43.14 \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /

# Configure ODBC in production
RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini

# Setup user permissions
RUN groupadd --system --gid 1001 nodejs \
  && useradd --system --uid 1001 --gid nodejs non-root-user

# Give non-root-user permission to update SSL certs
RUN chown -R non-root-user /etc/ssl/certs
RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
RUN chmod -R u+rwx /etc/ssl/certs
RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
RUN chown non-root-user /usr/sbin/update-ca-certificates
RUN chmod u+rx /usr/sbin/update-ca-certificates

## set pre baked keys
ARG POSTHOG_API_KEY
ENV POSTHOG_API_KEY=$POSTHOG_API_KEY
ARG INTERCOM_ID=intercom-id
ENV INTERCOM_ID=$INTERCOM_ID
ARG CAPTCHA_SITE_KEY
ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY

COPY --from=backend-runner /app /backend
COPY --from=frontend-runner /app ./backend/frontend-build

ARG INFISICAL_PLATFORM_VERSION
ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

ARG DD_GIT_REPOSITORY_URL
ENV DD_GIT_REPOSITORY_URL $DD_GIT_REPOSITORY_URL

ARG DD_GIT_COMMIT_SHA
ENV DD_GIT_COMMIT_SHA $DD_GIT_COMMIT_SHA

ENV PORT 8080
ENV HOST=0.0.0.0
ENV HTTPS_ENABLED false
ENV NODE_ENV production
ENV STANDALONE_BUILD true
ENV STANDALONE_MODE true
ENV NODE_OPTIONS="--max-old-space-size=1024"
ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/

WORKDIR /backend

ENV TELEMETRY_ENABLED true

EXPOSE 8080
EXPOSE 443

USER non-root-user

CMD ["./standalone-entrypoint.sh"]