FROM eclipse-temurin:21-jdk-jammy AS builder

# Build argument for domain configuration
ARG DOMAIN=attestation.app

WORKDIR /build

RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*

RUN git clone --depth 1 --recurse-submodules https://github.com/GrapheneOS/AttestationServer.git .

# Patch the server to bind to 0.0.0.0 instead of localhost (::1)
# This is required for Docker networking to work
RUN sed -i 's/new InetSocketAddress("::1", 8080)/new InetSocketAddress("0.0.0.0", 8080)/' \
    src/main/java/app/attestation/server/AttestationServer.java

# Patch the domain using the build argument
RUN sed -i "s/attestation.app/${DOMAIN}/g" \
     src/main/java/app/attestation/server/AttestationServer.java

RUN chmod +x gradlew && ./gradlew build -x test --no-daemon

# Process static files (replace {{css|...}} and {{js|...}} templates with SRI hashes)
RUN apt-get update && apt-get install -y --no-install-recommends \
    openssl sed \
    && rm -rf /var/lib/apt/lists/*

COPY process-static-docker.sh /tmp/process-static.sh
RUN chmod +x /tmp/process-static.sh && /tmp/process-static.sh

# --- Runtime ---
FROM eclipse-temurin:21-jre-jammy

RUN apt-get update && apt-get install -y \
    curl \
    && rm -rf /var/lib/apt/lists/*

RUN useradd -r -s /bin/false -u 1000 attestation

WORKDIR /app

# Copy the custom sqlite4java native library from the submodule
# This is built with newer SQLite that supports STRICT tables
RUN mkdir -p /app/libs
COPY --from=builder /build/libs/sqlite4java-prebuilt/libsqlite4java-linux-amd64-1.0.392.so /app/libs/

# Copy all JARs from builder
COPY --from=builder /build/build/libs/*.jar ./libs/

# Copy processed static files
COPY --from=builder /build/static ./static-orig/

COPY entrypoint.sh .
RUN chmod +x /app/entrypoint.sh

# Create directories and set permissions
# /data - for SQLite databases
# /srv/static - for sharing static files with caddy
RUN mkdir -p /data /srv/static && \
    chown -R attestation:attestation /app /data /srv/static

EXPOSE 8080

# Run as root initially to fix permissions, entrypoint will drop privileges
ENTRYPOINT ["/app/entrypoint.sh"]