# Simple Dockerfile for homelab use
FROM golang:1.25-alpine AS builder

# Install dependencies including C++ build tools
RUN apk add --no-cache git make gcc g++ musl-dev cmake

# Set working directory
WORKDIR /app

# Copy go mod files
COPY go.mod go.sum ./

# Download dependencies
RUN go mod download

# Copy source code
COPY . .

# Copy and build native C++ libraries
COPY native/ ./native/
RUN rm -rf native/build && cd native && mkdir -p build && cd build && \
    cmake .. -DCMAKE_BUILD_TYPE=Release && \
    make -j$(nproc)

# Build Go binaries with native libs enabled via build tag
RUN CGO_ENABLED=1 go build -tags native_libs -o bin/api-server cmd/api-server/main.go && \
    CGO_ENABLED=1 go build -tags native_libs -o bin/worker ./cmd/worker

# Final stage
FROM alpine:3.19

# Install runtime dependencies including C++ stdlib
RUN apk add --no-cache bash ca-certificates redis openssl curl podman fuse-overlayfs slirp4netns iptables libstdc++

# Create app user
RUN addgroup -g 1001 -S appgroup && \
    adduser -u 1001 -S appuser -G appgroup

# Set working directory
WORKDIR /app

# Copy binaries and native libs from builder
COPY --from=builder /app/bin/ /usr/local/bin/
RUN mkdir -p /usr/local/lib
COPY --from=builder /app/native/build/lib*.so /usr/local/lib/

# Create versioned symlinks expected by the binaries
RUN cd /usr/local/lib && \
    for lib in *.so; do \
        ln -sf "$lib" "${lib}.0" 2>/dev/null || true; \
    done

# Update library cache and set library path
RUN ldconfig /usr/local/lib 2>/dev/null || true
ENV LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:$LD_LIBRARY_PATH

# Copy configs and templates
COPY --from=builder /app/configs/ /app/configs/

# Create necessary directories
RUN mkdir -p /app/data/experiments /app/data/datasets /app/data/snapshots /app/logs /app/ssl

# Generate SSL certificates for container use
RUN openssl req -x509 -newkey rsa:2048 -keyout /app/ssl/key.pem -out /app/ssl/cert.pem -days 365 -nodes \
    -subj "/C=US/ST=Homelab/L=Local/O=ML/OU=Experiments/CN=localhost" && \
    chmod 644 /app/ssl/cert.pem && chmod 600 /app/ssl/key.pem

# Ensure app user can write to data/logs and read TLS material
RUN chown -R appuser:appgroup /app/data /app/logs /app/ssl /app/configs

# Switch to app user
USER appuser

# Expose ports
EXPOSE 9101

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
  CMD curl -f http://localhost:9101/health || curl -k -f https://localhost:9101/health || exit 1

# Default command
CMD ["/usr/local/bin/api-server", "-config", "/app/configs/api/dev.yaml"]