# --- Stage 1: Build backend ---
FROM php:8.4-cli AS backend-build

RUN apt-get update && apt-get install -y \
        libicu-dev libpq-dev libpng-dev libzip-dev libxml2-dev \
        unzip curl git \
    && docker-php-ext-install -j$(nproc) intl pdo_pgsql zip gd opcache \
    && rm -rf /var/lib/apt/lists/*

COPY --from=composer:2 /usr/bin/composer /usr/bin/composer

WORKDIR /app
COPY composer.json composer.lock ./
RUN APP_ENV=prod APP_DEBUG=0 composer install --no-dev --no-scripts --no-interaction

COPY bin bin/
COPY config config/
COPY migrations migrations/
COPY public public/
COPY src src/
COPY templates templates/

RUN composer dump-autoload --optimize --no-dev

# --- Stage 2: Build frontend ---
FROM node:22-alpine AS frontend-build

WORKDIR /app/frontend
COPY frontend/package.json frontend/package-lock.json ./
RUN npm ci

COPY frontend/ ./

# Error tracking → GlitchTip (build-time). Vides par defaut => module Sentry inerte
# et aucun upload de source maps. Fournis par la CI via --build-arg (secrets Gitea).
# Passes en prefixe inline du RUN (pas en ENV) pour ne pas persister le token dans
# une couche d'image.
ARG NUXT_PUBLIC_SENTRY_DSN=""
ARG SENTRY_URL=""
ARG SENTRY_ORG=""
ARG SENTRY_PROJECT=""
ARG SENTRY_AUTH_TOKEN=""

ENV CI=1 \
    NUXT_TELEMETRY_DISABLED=1 \
    NUXT_PUBLIC_API_BASE=/api \
    NUXT_PUBLIC_APP_BASE=/
RUN NUXT_PUBLIC_SENTRY_DSN="$NUXT_PUBLIC_SENTRY_DSN" \
    SENTRY_URL="$SENTRY_URL" \
    SENTRY_ORG="$SENTRY_ORG" \
    SENTRY_PROJECT="$SENTRY_PROJECT" \
    SENTRY_AUTH_TOKEN="$SENTRY_AUTH_TOKEN" \
    npm run generate

# --- Stage 3: Production image ---
FROM php:8.4-fpm AS production

RUN apt-get update && apt-get install -y \
        libicu-dev libpq-dev libpng-dev libzip-dev libxml2-dev \
        nginx supervisor ca-certificates \
    && docker-php-ext-install -j$(nproc) intl pdo_pgsql zip gd opcache \
    && rm -rf /var/lib/apt/lists/*

# CA racine interne MALIO (auto-signee) — permet au SDK Sentry/HttpClient de
# joindre les services HTTPS internes (ex. GlitchTip sur logs.malio-dev.fr).
COPY infra/prod/malio-dev-root-ca.crt /usr/local/share/ca-certificates/malio-dev-root-ca.crt
RUN update-ca-certificates

# PHP production config
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"

# PHP-FPM: forward worker output to stderr for docker logs
RUN echo "catch_workers_output = yes" >> /usr/local/etc/php-fpm.d/www.conf \
    && echo "decorate_workers_output = no" >> /usr/local/etc/php-fpm.d/www.conf

# Nginx: log to stdout/stderr
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
    && ln -sf /dev/stderr /var/log/nginx/error.log

# Remove default nginx site
RUN rm -f /etc/nginx/sites-enabled/default

# Configs
COPY infra/prod/supervisord.conf /etc/supervisor/conf.d/app.conf
COPY infra/prod/nginx.conf /etc/nginx/sites-enabled/starseed.conf

# Backend from stage 1
COPY --from=backend-build /app /var/www/html

# Frontend from stage 2
COPY --from=frontend-build /app/frontend/.output/public /var/www/html/frontend/.output/public

# Maintenance page
COPY infra/prod/maintenance.html /var/www/html/public/maintenance.html

# Symfony needs a .env file to boot (variables are overridden by env_file in docker-compose)
RUN echo "APP_ENV=prod" > /var/www/html/.env

# Permissions
RUN mkdir -p /var/www/html/var /var/www/html/var/log /var/www/html/config/jwt \
    && chown -R www-data:www-data /var/www/html/var

WORKDIR /var/www/html
EXPOSE 80

CMD ["supervisord", "-n", "-c", "/etc/supervisor/conf.d/app.conf"]