# syntax=docker/dockerfile:1.7
#
# Build:
#   docker build \
#     --secret id=gitea_pypi_user,env=GITEA_PYPI_USER \
#     --secret id=gitea_pypi_password,env=GITEA_PYPI_TOKEN \
#     -t gitea.coulomb.social/coulomb/vergabe-teilnahme:<tag> .
#
# The optional secrets let uv authenticate to the Gitea Python package
# registry when resolving issue-core.


# ─── Stage 1 ─── Vite + Tailwind asset build ────────────────────────────────
FROM node:22-alpine AS assets
WORKDIR /build
COPY package.json package-lock.json ./
RUN npm ci --no-audit --no-fund
COPY vite.config.js ./
COPY static/src ./static/src
# Tailwind v4 scans these for utility-class usage at build time. They must be
# present or the generated CSS omits every utility class (broken layout, giant
# SVG icons). Paths mirror the @source directive in static/src/main.css.
COPY vergabe_teilnahme/templates ./vergabe_teilnahme/templates
RUN npm run build
# Output: /build/static/dist/main.css


# ─── Stage 2 ─── Python deps via uv ─────────────────────────────────────────
FROM python:3.12-slim-bookworm AS python-deps

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    UV_LINK_MODE=copy \
    UV_PYTHON_DOWNLOADS=never

RUN apt-get update && apt-get install -y --no-install-recommends \
        build-essential libpq-dev curl ca-certificates \
    && rm -rf /var/lib/apt/lists/*

COPY --from=ghcr.io/astral-sh/uv:0.5.11 /uv /usr/local/bin/uv

WORKDIR /app
COPY pyproject.toml uv.lock ./
RUN --mount=type=secret,id=gitea_pypi_user,required=false \
    --mount=type=secret,id=gitea_pypi_password,required=false \
    sh -eu -c '\
      if [ -f /run/secrets/gitea_pypi_user ]; then \
        export UV_INDEX_GITEA_USERNAME="$(cat /run/secrets/gitea_pypi_user)"; \
      fi; \
      if [ -f /run/secrets/gitea_pypi_password ]; then \
        export UV_INDEX_GITEA_PASSWORD="$(cat /run/secrets/gitea_pypi_password)"; \
      fi; \
      uv sync --no-dev --no-install-project \
    '


# ─── Stage 3 ─── Runtime image ──────────────────────────────────────────────
FROM python:3.12-slim-bookworm AS runtime

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    DJANGO_SETTINGS_MODULE=vergabe_teilnahme.settings.prod \
    PATH=/app/.venv/bin:$PATH \
    PORT=8000

RUN apt-get update && apt-get install -y --no-install-recommends \
        libpq5 curl ca-certificates \
    && rm -rf /var/lib/apt/lists/* \
    && groupadd -r app && useradd -r -g app -d /app -s /sbin/nologin app

WORKDIR /app

COPY --from=python-deps /app/.venv ./.venv

COPY --chown=app:app manage.py pyproject.toml ./
COPY --chown=app:app vergabe_teilnahme ./vergabe_teilnahme
COPY --chown=app:app static/src ./static/src
COPY --chown=app:app static/vendor ./static/vendor
COPY --chown=app:app templates ./templates
COPY --from=assets --chown=app:app /build/static/dist ./static/dist

RUN mkdir -p ./media ./staticfiles ./.issue-facade && chown -R app:app /app

# collectstatic needs SECRET_KEY + ALLOWED_HOSTS but no DB; provide placeholders.
RUN SECRET_KEY=build-only ALLOWED_HOSTS=localhost \
    python manage.py collectstatic --noinput

USER app
EXPOSE 8000

HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
    CMD curl -fsS http://127.0.0.1:8000/health/ || exit 1

CMD ["gunicorn", "vergabe_teilnahme.wsgi:application", \
     "--bind", "0.0.0.0:8000", \
     "--workers", "3", \
     "--access-logfile", "-", \
     "--error-logfile", "-"]
