ARG NGINX_VERSION="1.26"
ARG CACHING_REGISTRY

# Builder stage - compile DataDome modules
FROM ${CACHING_REGISTRY:+$CACHING_REGISTRY/docker-hub/library/}nginx:${NGINX_VERSION} AS builder

# Install build dependencies
RUN apt-get update && \
    apt-get -y install --no-install-recommends \
        wget \
        gcc \
        make \
        libpcre3-dev \
        libssl-dev \
        zlib1g-dev \
        gnupg2 \
        ca-certificates && \
    rm -rf /var/lib/apt/lists/*

# Copy build script and module source
COPY .github/scripts/build.sh /build.sh
COPY config ngx_http_data_dome_*.c /NginxDome/

# Make build script executable and run it
RUN chmod +x /build.sh && \
    ./build.sh

# Runtime stage - minimal image with only necessary components
FROM ${CACHING_REGISTRY:+$CACHING_REGISTRY/docker-hub/library/}nginx:${NGINX_VERSION}

# Create non-root user for nginx
RUN groupadd -r nginx-datadome && \
    useradd -r -g nginx-datadome -s /sbin/nologin -c "Nginx DataDome user" nginx-datadome

# Copy compiled modules from builder stage
COPY --from=builder /etc/nginx/modules/*.so /etc/nginx/modules/

# Copy nginx configuration template
COPY .github/conf/nginx.conf.template /etc/nginx/nginx.conf.template

# Set proper permissions
RUN chown -R nginx-datadome:nginx-datadome /var/cache/nginx && \
    chown -R nginx-datadome:nginx-datadome /var/log/nginx && \
    chown -R nginx-datadome:nginx-datadome /etc/nginx/modules && \
    chown -R nginx-datadome:nginx-datadome /etc/nginx && \
    touch /var/run/nginx.pid && \
    chown nginx-datadome:nginx-datadome /var/run/nginx.pid

# Switch to non-root user
USER nginx-datadome

# Using the entrypoint to run envsubst before the nginx binary
CMD ["/bin/sh", "-c", "envsubst '${DATADOME_ENDPOINT} ${DATADOME_SERVER_SIDE_KEY} ${DATADOME_NGINX_PROXY_PASS} ${DATADOME_TIMEOUT} ${DATADOME_ENABLE_REFERRER_RESTORATION}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]
