# Dockerfile for Workweaver Landing Page
# ARM64-optimized for M1/M2 Mac and AWS Graviton
# Multi-stage build for security hardening

FROM nginx:alpine@sha256:f46cb72c7df02710e693e863a983ac42f6a9579058a59a35f1ae36c9958e4ce0 AS builder

LABEL maintainer="workweaver-prod"
LABEL description="Workweaver landing page - product website"

# Build arguments for security scanning
ARG SCAN_BUILD_DATE
ARG SCAN_VCS_REF

# Set labels for security metadata
LABEL org.opencontainers.image.created="${SCAN_BUILD_DATE}"
LABEL org.opencontainers.image.revision="${SCAN_VCS_REF}"
LABEL org.opencontainers.image.title="Workweaver Landing Page"

# Final stage
FROM nginx:alpine@sha256:f46cb72c7df02710e693e863a983ac42f6a9579058a59a35f1ae36c9958e4ce0

# Install security tools
RUN apk add --no-cache \
    curl \
    && rm -rf /var/cache/apk/*

# Remove default nginx static assets
RUN rm -rf /usr/share/nginx/html/*

# Copy static files from builder
COPY --chown=nginx:nginx public/ /usr/share/nginx/html/

# Custom nginx config (local Docker proxies + security headers)
COPY nginx/default.conf /etc/nginx/conf.d/default.conf

# Expose port 80
EXPOSE 80

# Health check - check nginx is responding with 200 OK
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
    CMD curl -s -o /dev/null -w "%{http_code}" http://localhost/ | grep -q "^200$" || exit 1

# nginx runs in foreground
CMD ["nginx", "-g", "daemon off;"]
