# ── Stage 1: Builder ──────────────────────────────────────────────────────────
#
# Uses the official Rust image on Debian Bookworm.
# capnproto is installed here because build.rs invokes `capnp` at compile time.
FROM rust:bookworm AS builder

RUN apt-get update \
    && apt-get install -y --no-install-recommends capnproto \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /build

# Copy manifests first so dependency layers are cached independently of source.
COPY Cargo.toml Cargo.lock ./
COPY crates/quicproquo-core/Cargo.toml       crates/quicproquo-core/Cargo.toml
COPY crates/quicproquo-proto/Cargo.toml      crates/quicproquo-proto/Cargo.toml
COPY crates/quicproquo-server/Cargo.toml     crates/quicproquo-server/Cargo.toml
COPY crates/quicproquo-client/Cargo.toml     crates/quicproquo-client/Cargo.toml
COPY crates/quicproquo-p2p/Cargo.toml        crates/quicproquo-p2p/Cargo.toml
COPY crates/quicproquo-kt/Cargo.toml         crates/quicproquo-kt/Cargo.toml
COPY crates/quicproquo-plugin-api/Cargo.toml crates/quicproquo-plugin-api/Cargo.toml
COPY crates/quicproquo-rpc/Cargo.toml        crates/quicproquo-rpc/Cargo.toml
COPY crates/quicproquo-sdk/Cargo.toml        crates/quicproquo-sdk/Cargo.toml

# Create dummy source files so `cargo build` can resolve the dependency graph
# and cache the compiled dependencies before copying real source.
RUN mkdir -p \
        crates/quicproquo-core/src \
        crates/quicproquo-proto/src \
        crates/quicproquo-server/src \
        crates/quicproquo-client/src \
        crates/quicproquo-p2p/src \
        crates/quicproquo-kt/src \
        crates/quicproquo-plugin-api/src \
        crates/quicproquo-rpc/src \
        crates/quicproquo-sdk/src \
    && echo 'fn main() {}' > crates/quicproquo-server/src/main.rs \
    && echo 'fn main() {}' > crates/quicproquo-client/src/main.rs \
    && touch crates/quicproquo-core/src/lib.rs \
    && touch crates/quicproquo-proto/src/lib.rs \
    && touch crates/quicproquo-p2p/src/lib.rs \
    && touch crates/quicproquo-kt/src/lib.rs \
    && touch crates/quicproquo-plugin-api/src/lib.rs \
    && touch crates/quicproquo-rpc/src/lib.rs \
    && touch crates/quicproquo-sdk/src/lib.rs

# Schemas must exist before the proto crate's build.rs runs.
COPY schemas/ schemas/

# Build dependencies only (source stubs mean this layer is cache-friendly).
RUN cargo build --release --bin qpq-server 2>/dev/null || true

# Copy real source and build for real.
COPY crates/ crates/

# Touch source to force re-compilation after copying real crates.
RUN touch \
        crates/quicproquo-core/src/lib.rs \
        crates/quicproquo-proto/src/lib.rs \
        crates/quicproquo-p2p/src/lib.rs \
        crates/quicproquo-kt/src/lib.rs \
        crates/quicproquo-plugin-api/src/lib.rs \
        crates/quicproquo-rpc/src/lib.rs \
        crates/quicproquo-sdk/src/lib.rs \
        crates/quicproquo-server/src/main.rs \
        crates/quicproquo-client/src/main.rs

RUN cargo build --release --bin qpq-server

# ── Stage 2: Runtime ──────────────────────────────────────────────────────────
#
# Minimal Debian Bookworm image — no Rust toolchain, no capnp compiler.
FROM debian:bookworm-slim AS runtime

# ca-certificates is included so future HTTPS calls (e.g. from M6 key sync)
# work without further changes to this stage.
RUN apt-get update \
    && apt-get install -y --no-install-recommends ca-certificates \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /build/target/release/qpq-server /usr/local/bin/qpq-server

# Create a dedicated non-root user with a writable data directory.
RUN groupadd --system qpq \
    && useradd --system --gid qpq --no-create-home --shell /usr/sbin/nologin qpq \
    && mkdir -p /var/lib/quicproquo \
    && chown qpq:qpq /var/lib/quicproquo

EXPOSE 7000

# Persistent data volume: TLS certs, SQLCipher DB, delivery queues, KT log.
# Mount a named volume or host path here for data persistence across restarts:
#   docker run -v qpq-data:/var/lib/quicproquo ...
VOLUME ["/var/lib/quicproquo"]

ENV RUST_LOG=info \
    QPQ_LISTEN=0.0.0.0:7000 \
    QPQ_DATA_DIR=/var/lib/quicproquo \
    QPQ_TLS_CERT=/var/lib/quicproquo/server-cert.der \
    QPQ_TLS_KEY=/var/lib/quicproquo/server-key.der \
    QPQ_PRODUCTION=true

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD test -f /var/lib/quicproquo/server-cert.der || exit 1

USER qpq

CMD ["qpq-server"]
