# syntax=docker/dockerfile:1.7

FROM node:20-alpine AS web-builder

WORKDIR /web
COPY web/package.json web/package-lock.json ./
RUN npm ci
COPY web/ ./
RUN npm run build

FROM golang:1.25-alpine AS builder

WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download

COPY . .
COPY --from=web-builder /internal/server/web/dist /src/internal/server/web/dist
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /out/lethe ./cmd/lethe

FROM gcr.io/distroless/static-debian12:nonroot

WORKDIR /app
COPY --from=builder /out/lethe /app/lethe

# Server binds 127.0.0.1 inside the container; expose only on the compose
# network. The reverse proxy on the host is the public surface.
EXPOSE 8080

ENTRYPOINT ["/app/lethe"]
CMD ["-config", "/config.yaml"]