# syntax=docker/dockerfile:1

# Multi-stage Dockerfile for Next.js 16 production build (Node 20)
# - Does NOT bake secrets via ARG/ENV
# - Skips env validation during build (SKIP_ENV_VALIDATION=1 in builder only)
# - Enforces required secrets at runtime via entrypoint.sh

############################
# Stage 1: Dependencies
############################
FROM node:20-alpine AS deps
WORKDIR /app

# Native deps (if you have any native modules)
RUN apk add --no-cache libc6-compat python3 make g++

# Copy lockfiles and Prisma schema (postinstall may need it)
COPY package.json package-lock.json* ./
COPY prisma ./prisma

RUN npm ci


############################
# Stage 2: Builder
############################
FROM node:20-alpine AS builder
WORKDIR /app

COPY --from=deps /app/node_modules ./node_modules
COPY . .

# Generate Prisma Client for build (if your build imports Prisma)
RUN npx prisma generate

ENV NEXT_TELEMETRY_DISABLED=1
ENV NODE_ENV=production

# IMPORTANT:
# Do not require secrets at build time; enforce at runtime instead.
ENV SKIP_ENV_VALIDATION=1

RUN npm run build


############################
# Stage 3: Runner
############################
FROM node:20-alpine AS runner
WORKDIR /app

ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"

# Non-root user
RUN addgroup --system --gid 1001 nodejs \
  && adduser  --system --uid 1001 nextjs

# Runtime files
COPY --from=builder /app/public ./public
COPY --from=builder /app/.next/standalone ./
COPY --from=builder /app/.next/static ./.next/static

# If you use Prisma at runtime, you need schema + engines
COPY --from=builder /app/prisma ./prisma
COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
COPY --from=builder /app/node_modules/@prisma ./node_modules/@prisma

# Add runtime env check entrypoint (no secrets baked)
COPY docker/entrypoint.sh /app/entrypoint.sh
RUN chmod +x /app/entrypoint.sh \
  && chown -R nextjs:nodejs /app

USER nextjs

EXPOSE 3000

HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
  CMD node -e "require('http').get('http://127.0.0.1:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))"

CMD ["/app/entrypoint.sh"]