# ---- Build Stage (for Git clone only) ----
FROM alpine:3.21 AS builder

RUN apk add --no-cache git
WORKDIR /src
RUN git clone --depth 1 https://github.com/bludit/bludit.git .

# ---- Final Image ----
FROM alpine:3.21

# Install only needed runtime packages
RUN apk add --no-cache bash nginx \
    php84 php84-fpm php84-opcache php84-gd php84-zlib php84-curl php84-bz2 php84-bcmath \
    php84-exif php84-fileinfo php84-iconv php84-imap php84-intl php84-ldap php84-mbstring \
    php84-mysqli php84-odbc php84-pdo php84-pdo_mysql php84-pdo_odbc php84-pdo_pgsql \
    php84-pdo_sqlite php84-pdo_dblib php84-pear php84-pecl-imagick php84-pecl-memcache \
    php84-pecl-memcached php84-pecl-mongodb php84-pecl-redis php84-pecl-smbclient \
    php84-pecl-ssh2 php84-pecl-xdebug php84-pecl-yaml php84-pgsql php84-phar php84-phpdbg \
    php84-session php84-simplexml php84-snmp php84-soap php84-sockets php84-sodium \
    php84-sqlite3 php84-sysvmsg php84-tidy php84-xml php84-xmlreader php84-xmlwriter \
    php84-xsl php84-zip php84-ctype php84-tokenizerphp84 php84-fpm php84-opcache php84-mysqli php84-session php84-xml php84-curl

# Add unprivileged user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup

# Konfiguration kopieren
COPY nginx /etc/nginx
COPY php /etc/php84

# Web-Verzeichnis + App aus Build-Stage kopieren
RUN mkdir -p /usr/share/nginx/html
COPY --from=builder /src /usr/share/nginx/html

# Berechtigungen setzen
RUN chown -R appuser:appgroup /usr/share/nginx/html && chmod -R 755 /usr/share/nginx/html

# PHP run-Verzeichnis
RUN mkdir -p /var/run/php && chown appuser:appgroup /var/run/php

# Expose only necessary ports
EXPOSE 80 9000

# Volume für Webverzeichnis (persistenzfähig)
VOLUME ["/usr/share/nginx/html"]

# Als nicht-root Benutzer laufen
USER appuser

# CMD: Dienste starten
CMD ["/bin/sh", "-c", "php-fpm84 && nginx -g 'daemon off;'"]