# ---------------------------------------------------------------------------
# Stage 1 — deps: install production dependencies only
# ---------------------------------------------------------------------------
# node:22-slim (Debian slim) is used instead of Alpine so that
# better-sqlite3 can use its pre-built glibc binaries rather than
# compiling from source (Alpine uses musl libc — no pre-builds exist).
# This keeps build times fast (~1 min vs ~5 min for source compilation).
FROM node:22-slim AS deps

WORKDIR /app

# Copy manifests and install production deps only (no devDependencies).
# prebuild-install will download the pre-built better-sqlite3 binary for
# linux-x64-glibc, so no C++ toolchain is needed here.
COPY package.json package-lock.json ./
RUN npm ci --omit=dev

# ---------------------------------------------------------------------------
# Stage 2 — runtime image (minimal attack surface)
# ---------------------------------------------------------------------------
FROM node:22-slim AS runtime

LABEL org.opencontainers.image.title="sofarr"
LABEL org.opencontainers.image.description="Personal media download dashboard for *arr services"
LABEL org.opencontainers.image.authors="Gordon Bolton"
LABEL org.opencontainers.image.source="https://git.i3omb.com/Gandalf/sofarr"
LABEL org.opencontainers.image.url="https://docker.i3omb.com"
LABEL org.opencontainers.image.vendor="Gordon Bolton"
LABEL org.opencontainers.image.licenses="MIT"
LABEL custom.hardware.requirement="None - runs on any Docker-supported platform including ARM and x86_64"

# Use the built-in non-root 'node' user (UID 1000) from the official image
# The /app directory is owned by root; data directory is owned by node
WORKDIR /app

# Copy production deps from deps stage (includes pre-built better-sqlite3)
COPY --from=deps /app/node_modules ./node_modules

# Copy application source owned by root (read-only at runtime)
COPY --chown=root:root server/ ./server/
COPY --chown=root:root public/ ./public/
COPY --chown=root:root package.json ./

# Persistent data directory owned by node user (SQLite token store, logs)
RUN mkdir -p /app/data && chown node:node /app/data

ENV NODE_ENV=production
ENV DATA_DIR=/app/data

# Drop to non-root user for all subsequent operations
USER node

EXPOSE 3001

# HEALTHCHECK — Docker will restart the container if this fails 3 times.
# Uses node's built-in http module (no wget/curl needed in slim image).
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD node -e "require('http').get('http://localhost:3001/health',r=>{process.exit(r.statusCode===200?0:1)}).on('error',()=>process.exit(1))"

CMD ["node", "server/index.js"]