# SPDX-FileCopyrightText: 2026 Johan Louwers <louwersj@gmail.com>
# SPDX-License-Identifier: Apache-2.0

ARG ORACLE_LINUX_BASE_IMAGE="container-registry.oracle.com/os/oraclelinux:9-slim-fips"
FROM ${ORACLE_LINUX_BASE_IMAGE}

ARG NATS_SERVER_VERSION="2.14.1"
ARG TARGETARCH
ARG NATS_SERVER_LINUX_AMD64_SHA256="4638c389af67d4c747f5b3e6a9d363bfe8f6b86de37d7c4ee3a36b283a5c2ce2"
ARG NATS_SERVER_LINUX_ARM64_SHA256="0bdd20ad850e66a484dcb126f6ce610079520b56d9e8518d099e0864ab8171a1"

LABEL org.opencontainers.image.title="nats-sinks NATS JetStream FIPS test service" \
      org.opencontainers.image.description="Local test-only NATS JetStream service built on Oracle Linux 9 slim FIPS." \
      org.opencontainers.image.source="https://github.com/ProjectCuillin/nats-sinks" \
      org.opencontainers.image.documentation="https://nats-sinks.readthedocs.io/en/latest/nats-jetstream-test-container/" \
      org.opencontainers.image.licenses="Apache-2.0" \
      org.opencontainers.image.base.name="container-registry.oracle.com/os/oraclelinux:9-slim-fips"

RUN microdnf install -y --setopt=install_weak_deps=0 \
        ca-certificates \
        gzip \
        shadow-utils \
        tar \
    && microdnf clean all \
    && rm -rf /var/cache/dnf /var/cache/yum

RUN set -eux; \
    case "${TARGETARCH:-amd64}" in \
        "amd64") nats_arch="amd64"; checksum="${NATS_SERVER_LINUX_AMD64_SHA256}" ;; \
        "arm64") nats_arch="arm64"; checksum="${NATS_SERVER_LINUX_ARM64_SHA256}" ;; \
        *) echo "Unsupported target architecture: ${TARGETARCH}" >&2; exit 1 ;; \
    esac; \
    archive="nats-server-v${NATS_SERVER_VERSION}-linux-${nats_arch}.tar.gz"; \
    url="https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER_VERSION}/${archive}"; \
    curl -fsSL "${url}" -o "/tmp/${archive}"; \
    printf '%s  %s\n' "${checksum}" "/tmp/${archive}" | sha256sum -c -; \
    mkdir -p /tmp/nats-server; \
    tar -xzf "/tmp/${archive}" -C /tmp/nats-server --strip-components=1; \
    install -m 0755 /tmp/nats-server/nats-server /usr/local/bin/nats-server; \
    rm -rf "/tmp/${archive}" /tmp/nats-server

RUN groupadd --gid 10001 nats \
    && useradd --uid 10001 --gid 10001 --home-dir /var/lib/nats --shell /sbin/nologin nats \
    && mkdir -p /etc/nats /var/lib/nats/jetstream \
    && chown -R 10001:10001 /etc/nats /var/lib/nats

COPY --chown=10001:10001 nats-server.conf /etc/nats/nats-server.conf

USER 10001:10001
EXPOSE 4222 8222
VOLUME ["/var/lib/nats"]
ENTRYPOINT ["nats-server"]
CMD ["-c", "/etc/nats/nats-server.conf"]
