# =============================================================================
# @teh-riehl/client — Vite + React static build, served by nginx.
#
# Built from the REPO ROOT so the workspace deps resolve:
#
#   docker build -f packages/client/Dockerfile -t teh-riehl-client .
#
# Runtime config: the entrypoint script writes /usr/share/nginx/html/config.js
# from environment variables before nginx starts. The app reads that file at
# load time, so a SINGLE image can target any backend just by changing env.
# =============================================================================

# ---- Builder ----------------------------------------------------------------
FROM node:20-alpine AS builder
RUN corepack enable && corepack prepare pnpm@9.12.0 --activate

WORKDIR /repo

# Manifests first for layer caching.
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json ./
COPY packages/shared/package.json packages/shared/
COPY packages/content/package.json packages/content/
COPY packages/client/package.json packages/client/
COPY packages/server/package.json packages/server/

RUN pnpm install --frozen-lockfile

# Only the sources the client build needs.
COPY packages/shared packages/shared
COPY packages/content packages/content
COPY packages/client packages/client

RUN pnpm --filter @teh-riehl/client build

# ---- Runtime ----------------------------------------------------------------
FROM nginx:1.29-alpine AS runtime

# Pull the latest patched system packages BEFORE copying app content, so the
# layer cache for our content stays small and we only re-fetch upgrades when
# the base image moves. Knocks out the libcrypto/libpng/libxml/musl/nghttp2
# /zlib HIGH+CRITICAL vulns that ship in the unpatched base.
RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/*

# Static SPA + custom nginx config + the runtime-config entrypoint.
COPY --from=builder /repo/packages/client/dist /usr/share/nginx/html
COPY packages/client/docker/nginx.conf /etc/nginx/conf.d/default.conf
COPY packages/client/docker/40-app-config.sh /docker-entrypoint.d/40-app-config.sh

# nginx:alpine ships an entrypoint that runs scripts under /docker-entrypoint.d/
# before starting; mark ours executable so it actually fires.
RUN chmod +x /docker-entrypoint.d/40-app-config.sh

EXPOSE 80

# Inherit the upstream image's ENTRYPOINT + CMD. They run the *.sh scripts
# in /docker-entrypoint.d/ (including ours) and then exec nginx.
