ARG BASE_IMAGE=registry.gitlab.com/claromentis/infrastructure/docker/php
ARG BASE_TAG=7.4-fpm-alpine
FROM ${BASE_IMAGE}:${BASE_TAG}
ARG CLARO_ENV=PRODUCTION

# Switch to the root user for system operations
USER root

# Install and configure Nginx, add binaries used by the product
# Install logrotate for log file rotation to prevent disk space overconsumption (FRAM-1021)
# Use libcap to allow Nginx to bind to privileged ports as a non-privileged user
RUN apk add --no-cache libcap logrotate nginx && mkdir -p /run/nginx \
    && setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/nginx \
    && apk del libcap \
    && mkdir -p /usr/local/etc/nginx/conf.d /usr/local/etc/nginx/http.d
COPY docker/nginx/nginx.conf /etc/nginx/nginx.conf
COPY docker/nginx/http.d/default.conf /etc/nginx/http.d/default.conf

# Install wkhtmltopdf 0.12.6 with qt patches
# https://github.com/Surnet/docker-wkhtmltopdf
COPY --from=surnet/alpine-wkhtmltopdf:3.21.2-0.12.6-small \
    /bin/wkhtmltopdf /usr/bin/wkhtmltopdf
# Install libssl so it can make HTTPS requests, install fonts for it to use
RUN apk add --update --no-cache libssl3 ttf-dejavu ttf-droid ttf-freefont ttf-liberation \
# Symlink from distribution-managed path to locally-compiled path (this is where Claromentis expects it to be)
    && if [ ! -f /usr/local/bin/wkhtmltopdf ]; then ln -s /usr/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf; fi;

# Configure PHP
COPY docker/php.claromentis.ini $PHP_INI_DIR/conf.d/php.claromentis.ini

# Configure logrotate
COPY --chown=claromentis:claromentis docker/logrotate /home/claromentis/logrotate

# Configure ImageMagick
COPY docker/policy.xml /etc/ImageMagick-7/policy.xml

# Set default environment variables
ENV CLARO_ROOT=/var/www/claromentis
ENV CLARO_ENV=$CLARO_ENV \
    CLARO_SYSTEM_MODE=SAAS \
    CLARO_DATA_DIR=${CLARO_ROOT}/data \
    CLARO_LOCAL_DATA_DIR=${CLARO_ROOT}/local_data \
    CLARO_DB_HOST=mysql \
    CLARO_DOC_CONV_HOST=doc-converter \
    CLARO_ES_HOSTS=elasticsearch \
    CLARO_IMAGE_RESIZE_METHOD=IM

# Install the Claromentis codebase
# TODO: Drop all of the chown/chmod hacks below, sort out permissions properly

COPY --chown=claromentis:www-data . $CLARO_ROOT/
RUN mkdir -p $CLARO_DATA_DIR $CLARO_LOCAL_DATA_DIR \
    && mkdir -p $CLARO_DATA_DIR/db \
    && mkdir -p $CLARO_LOCAL_DATA_DIR/i18n_cache $CLARO_LOCAL_DATA_DIR/templater_cache $CLARO_LOCAL_DATA_DIR/temp \
    # Claromentis permissions
    && chown -R claromentis:www-data $CLARO_DATA_DIR $CLARO_LOCAL_DATA_DIR \
    && chmod -R g+rw $CLARO_DATA_DIR $CLARO_LOCAL_DATA_DIR \
    && chown claromentis:www-data $CLARO_ROOT \
    && chmod g+rw $CLARO_ROOT $CLARO_ROOT/application \
    # Nginx permissions
    && chown -R nginx:www-data /var/lib/nginx /var/log/nginx \
    && chmod -R g+rw /var/lib/nginx /var/log/nginx \
    # Remove the root crontab
    && rm /etc/crontabs/root

WORKDIR /var/www/claromentis/application

# Switch back to the non-privileged user
USER claromentis

# Expose port 80 for HTTP traffic
EXPOSE 80

# Run Claromentis migrations, start Nginx & PHP-FPM
# TODO: Process management for merging Nginx/PHP-FPM syslogs to proc 1's STDOUT/STDERR, for Docker logs
CMD ./clc app:install --all -n -v --admin_password=$CLARO_ADMIN_PASSWORD \
    && (nginx & php-fpm)
