# get-installer: static distribution-channel image.
#
# Serves the installer bytes (install.sh, install.ps1, installer.py,
# registry.json) over HTTP. Pure read-side: no database, no auth.
# Suitable for behind a CDN like Cloudflare / Fastly.
#
# Multi-arch: builds for both linux/amd64 and linux/arm64 from the same
# Dockerfile. Build via buildx (see scripts/build-multiarch.sh):
#
#   docker buildx build \
#       --platform linux/amd64,linux/arm64 \
#       --tag simtabi/get-installer:dev \
#       --load .
#
# Base: Ubuntu 26.04 LTS: official Docker Hub image, multi-arch
# manifest list. Falls back to 24.04 if 26.04 isn't on Docker Hub
# yet:
#   docker buildx build --build-arg UBUNTU_TAG=24.04 …
#
# Pin by SHA in production by replacing ``ubuntu:${UBUNTU_TAG}`` with
# ``ubuntu:${UBUNTU_TAG}@sha256:<digest>``.

# `--platform=$BUILDPLATFORM` makes buildx use the native arch for any
# multi-stage build helpers; the final stage targets `$TARGETPLATFORM`
# automatically.
ARG BUILDPLATFORM
ARG TARGETPLATFORM
ARG TARGETARCH
ARG UBUNTU_TAG=26.04
FROM --platform=$TARGETPLATFORM ubuntu:${UBUNTU_TAG}

LABEL org.opencontainers.image.title="get-installer"
LABEL org.opencontainers.image.description="Static distribution channel for the Simtabi installer"
LABEL org.opencontainers.image.source="https://github.com/simtabi/get-installer"
LABEL org.opencontainers.image.licenses="MIT"
LABEL org.opencontainers.image.vendor="Simtabi LLC"

ENV DEBIAN_FRONTEND=noninteractive \
    TZ=Etc/UTC \
    LANG=C.UTF-8 \
    LC_ALL=C.UTF-8

# Minimal package set: nginx (the web server) + supervisor (the process
# manager) + python3 (for local bundle rebuilds + healthchecks; tracks
# whatever the default Python is on the target Ubuntu release — the
# bundled installer.py is python_requires >= 3.10 and works on any
# python3 ≥ 3.10) + gosu (drops privileges in the entrypoint without
# forking).
RUN apt-get update \
 && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        gosu \
        nginx \
        python3 \
        python3-pip \
        supervisor \
        tini \
 && rm -rf /var/lib/apt/lists/*

# PUID/PGID: build-time defaults. The entrypoint script honours runtime
# PUID/PGID env vars and re-numbers the in-container `installer` user
# to match the host. This is the LinuxServer.io convention; users on
# Linux who mount host directories should pass:
#
#   docker run -e PUID=$(id -u) -e PGID=$(id -g) ...
#
# to avoid the classic "files written by container are root-owned on
# host" failure mode.
ARG PUID=1000
ARG PGID=1000

# Ubuntu 24.04+ pre-creates an `ubuntu` user at UID 1000. Remove it so
# our `installer` user can claim 1000 (the LinuxServer.io convention).
RUN if id -u ubuntu >/dev/null 2>&1; then userdel -r ubuntu 2>/dev/null || true; fi \
 && groupadd -g "$PGID" installer \
 && useradd -m -u "$PUID" -g "$PGID" -s /bin/bash installer

WORKDIR /app

# Copy the artefacts the CDN serves. Built locally before `docker build`
# via `python scripts/bundle.py`.
COPY dist/installer.py             /srv/www/installer.py
COPY dist/installer.py.sha256      /srv/www/installer.py.sha256
COPY bootstrap/install.sh          /srv/www/install.sh
COPY bootstrap/install.ps1         /srv/www/install.ps1
COPY registry.json                 /srv/www/registry.json
COPY schemas/registry.schema.json  /srv/www/schemas/registry.schema.json

# Per-product convenience aliases. Generated by an entrypoint script
# from registry.json so we don't hand-maintain a per-product dir.
COPY deploy/build-aliases.sh /usr/local/bin/build-aliases.sh
RUN chmod +x /usr/local/bin/build-aliases.sh && /usr/local/bin/build-aliases.sh

COPY deploy/nginx.conf /etc/nginx/nginx.conf
COPY deploy/supervisor-static.conf /etc/supervisor/conf.d/get-installer.conf

# Files served by nginx must be world-readable. The Ubuntu base ships
# a `www-data` user pre-created; nginx itself runs as www-data per its
# own user directive. The container's tini/supervisor processes run as
# root (needed to bind port 80 + fork nginx + writeable PID files).
RUN chown -R www-data:www-data /srv/www \
 && chmod -R a+rX /srv/www

# Entrypoint applies PUID/PGID at runtime (LinuxServer.io convention).
# When users mount a host volume into a writable path inside the
# container, they should pass -e PUID=$(id -u) -e PGID=$(id -g) so the
# container's writes land at the correct host ownership.
#
# This container is read-only by default (static content), so the
# entrypoint is essentially a no-op for the default CMD. Users with
# writable mounts benefit from setting CHOWN_PATHS to fix ownership
# of those mounts at start time.
COPY docker/entrypoint.sh /usr/local/bin/entrypoint
RUN chmod +x /usr/local/bin/entrypoint

EXPOSE 80

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s \
  CMD curl -fsS http://127.0.0.1/install.sh > /dev/null || exit 1

# tini -> supervisord; entrypoint is a passthrough that runs as root
# (no privilege drop here; nginx drops to www-data via its own config).
# Users who want to run the container fully non-root can override:
#   docker run --user $(id -u):$(id -g) --entrypoint /usr/local/bin/entrypoint \
#       simtabi/get-installer:dev <cmd>
ENTRYPOINT ["tini", "--", "/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
