# ============================================================
# Dockerfile - Nuxt SSR Production (Multi-stage Build)
# Project: BCNN Affairs
# ============================================================

# ---- Stage 1: Build ----
FROM node:20-slim AS builder

WORKDIR /app

# Install build dependencies for native modules (oracledb) and Oracle client download
RUN apt-get update && apt-get install -y --no-install-recommends \
  python3 \
  make \
  g++ \
  libaio1 \
  wget \
  unzip \
  ca-certificates \
  && rm -rf /var/lib/apt/lists/*

# Download and install Oracle Instant Client in builder stage (more reliable)
RUN mkdir -p /opt/oracle && \
  cd /opt/oracle && \
  wget -q "https://download.oracle.com/otn_software/linux/instantclient/1929000/instantclient-basic-linux.x64-19.29.0.0.0dbru.zip" \
    -O instantclient.zip && \
  unzip -q instantclient.zip && \
  rm -f instantclient.zip && \
  echo /opt/oracle/instantclient_19_29 > /etc/ld.so.conf.d/oracle-instantclient.conf && \
  ldconfig

ENV LD_LIBRARY_PATH=/opt/oracle/instantclient_19_29

# Copy package files first for layer caching
COPY package.json package-lock.json ./

# Install all dependencies (including devDependencies for build)
RUN npm ci

# Copy the rest of the project files
COPY . .

# Build the Nuxt application
RUN npm run build

# ---- Stage 2: Production ----
FROM node:20-slim AS production

WORKDIR /app

# Install runtime dependencies (curl required for healthcheck, gosu for permission dropping)
RUN apt-get update && apt-get install -y --no-install-recommends \
  libaio1 \
  curl \
  gosu \
  && rm -rf /var/lib/apt/lists/*

# Create non-root user for security
RUN groupadd -r appuser && useradd -r -g appuser -d /app appuser

# Copy Oracle Instant Client from builder stage
COPY --from=builder /opt/oracle/instantclient_19_29 /opt/oracle/instantclient_19_29
RUN echo /opt/oracle/instantclient_19_29 > /etc/ld.so.conf.d/oracle-instantclient.conf && ldconfig

# Set Oracle environment
ENV LD_LIBRARY_PATH=/opt/oracle/instantclient_19_29

# Copy package files and install production-only dependencies
COPY --from=builder /app/package.json /app/package-lock.json ./
RUN npm ci --omit=dev

# Copy the built output from builder stage
COPY --from=builder /app/.output /app/.output

# Copy static uploads to a SEED directory outside the volume mount point.
# This ensures static assets (banners, staff photos, header logo) are synced
# into the named volume on every container start — even on existing volumes.
COPY --from=builder /app/public/uploads /app/uploads_seed

# Set environment variables
ENV NODE_ENV=production
ENV HOST=0.0.0.0
ENV PORT=3008
ENV NITRO_PORT=3008
# Allow Nitro to resolve native modules
ENV NODE_PATH=/app/node_modules

# Change ownership to non-root user
RUN chown -R appuser:appuser /app

# Copy entrypoint script (runs as root, seeds volume & fixes permissions, then drops to appuser)
COPY --chown=root:root docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

# Expose the port
EXPOSE 3008

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
  CMD curl -f http://localhost:3008/affairs/ || exit 1

# Entrypoint seeds upload volume permissions then drops to appuser
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
CMD ["node", ".output/server/index.mjs"]