# syntax=docker/dockerfile:1.7

FROM node:20-alpine AS web-builder

# Mirror the host repo layout inside /src so vite's relative
# `outDir: '../internal/server/web/dist'` resolves to a stable, explicit
# path (/src/internal/server/web/dist) — not to a path that "happens to
# land at the container root" because of WORKDIR.
WORKDIR /src
COPY web/package.json web/package-lock.json web/
RUN cd web && npm ci
COPY web/ web/
RUN cd web && npm run build

FROM golang:1.26-alpine AS builder

WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download

COPY . .
COPY --from=web-builder /src/internal/server/web/dist /src/internal/server/web/dist
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /out/lethe ./cmd/lethe

FROM gcr.io/distroless/static-debian12:nonroot

WORKDIR /app
COPY --from=builder /out/lethe /app/lethe

# Server binds 127.0.0.1 inside the container; expose only on the compose
# network. The reverse proxy on the host is the public surface.
EXPOSE 8080

ENTRYPOINT ["/app/lethe"]
CMD ["-config", "/config.yaml"]