Lesstime/infra/prod/Dockerfile

# --- Stage 1: Build backend ---
FROM php:8.4-cli AS backend-build

RUN apt-get update && apt-get install -y \
        libicu-dev libpq-dev libpng-dev libzip-dev libxml2-dev \
        unzip curl git \
    && docker-php-ext-install -j$(nproc) intl pdo_pgsql zip gd opcache \
    && rm -rf /var/lib/apt/lists/*

COPY --from=composer:2 /usr/bin/composer /usr/bin/composer

WORKDIR /app
COPY composer.json composer.lock symfony.lock ./
RUN APP_ENV=prod APP_DEBUG=0 composer install --no-dev --no-scripts --no-interaction

COPY bin bin/
COPY config config/
COPY migrations migrations/
COPY public public/
COPY src src/

RUN composer dump-autoload --optimize --no-dev

# --- Stage 2: Build frontend ---
FROM node:lts-alpine AS frontend-build

WORKDIR /app/frontend
COPY frontend/package.json frontend/package-lock.json ./
RUN npm ci

COPY frontend/ ./

# Sentry / GlitchTip (front) — fourni au BUILD :
#  - NUXT_PUBLIC_SENTRY_DSN est bake dans le bundle statique (SPA generee).
#  - SENTRY_URL/ORG/PROJECT/AUTH_TOKEN servent a uploader les source maps.
# Si NUXT_PUBLIC_SENTRY_DSN est vide, le module Sentry n'est pas charge (no-op).
ARG NUXT_PUBLIC_SENTRY_DSN=""
ARG SENTRY_URL=""
ARG SENTRY_ORG=""
ARG SENTRY_PROJECT=""
ARG SENTRY_AUTH_TOKEN=""

ENV CI=1 \
    NUXT_TELEMETRY_DISABLED=1 \
    NUXT_PUBLIC_API_BASE=/api \
    NUXT_PUBLIC_APP_BASE=/ \
    NUXT_PUBLIC_SENTRY_DSN=$NUXT_PUBLIC_SENTRY_DSN \
    SENTRY_URL=$SENTRY_URL \
    SENTRY_ORG=$SENTRY_ORG \
    SENTRY_PROJECT=$SENTRY_PROJECT \
    SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN
RUN npm run generate

# --- Stage 3: Production image ---
FROM php:8.4-fpm AS production

RUN apt-get update && apt-get install -y \
        libicu-dev libpq-dev libpng-dev libzip-dev libxml2-dev \
        nginx supervisor smbclient ca-certificates \
    && docker-php-ext-install -j$(nproc) intl pdo_pgsql zip gd opcache \
    && rm -rf /var/lib/apt/lists/*

# CA racine interne MALIO (auto-signée) — permet au SDK Sentry/HttpClient de
# joindre les services HTTPS internes (ex. GlitchTip sur logs.malio-dev.fr).
COPY infra/prod/malio-dev-root-ca.crt /usr/local/share/ca-certificates/malio-dev-root-ca.crt
RUN update-ca-certificates

# PHP production config
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"

# PHP-FPM: forward worker output to stderr for docker logs
RUN echo "catch_workers_output = yes" >> /usr/local/etc/php-fpm.d/www.conf \
    && echo "decorate_workers_output = no" >> /usr/local/etc/php-fpm.d/www.conf

# Nginx: log to stdout/stderr
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
    && ln -sf /dev/stderr /var/log/nginx/error.log

# Remove default nginx site
RUN rm -f /etc/nginx/sites-enabled/default

# Configs
COPY infra/prod/supervisord.conf /etc/supervisor/conf.d/app.conf
COPY infra/prod/nginx.conf /etc/nginx/sites-enabled/lesstime.conf
COPY infra/prod/maintenance.html /var/www/html/public/maintenance.html

# Backend from stage 1
COPY --from=backend-build /app /var/www/html

# Frontend from stage 2
COPY --from=frontend-build /app/frontend/.output/public /var/www/html/frontend/.output/public

# Symfony needs a .env file to boot (variables are overridden by env_file in docker-compose)
RUN echo "APP_ENV=prod" > /var/www/html/.env

# Permissions
RUN mkdir -p /var/www/html/var /var/www/html/var/log /var/www/html/var/uploads /var/www/html/var/mcp-sessions \
    && chown -R www-data:www-data /var/www/html/var

WORKDIR /var/www/html
EXPOSE 80

CMD ["supervisord", "-n", "-c", "/etc/supervisor/conf.d/app.conf"]