# syntax=docker/dockerfile:1
# BuildKit / buildx : cache apk + permissions au build.
# L’image nginx:alpine fournit déjà l’utilisateur / groupe nginx (typiquement 101:101) — pas besoin de le créer.
FROM nginx:alpine

RUN --mount=type=cache,target=/var/cache/apk \
    apk add --no-cache git

WORKDIR /usr/share/nginx/html

# Image figée au clone ; refresh.sh fait git pull en boucle (même utilisateur que nginx grâce à USER nginx).
ARG TALKS_REPO_URL=https://git.specificat.io/arnault/Talks.git
ARG TALKS_BRANCH=main
ARG TALKS_SPARSE_DIR=content

RUN find . -mindepth 1 -delete \
  && git clone --filter=blob:none --sparse --branch "${TALKS_BRANCH}" --single-branch "${TALKS_REPO_URL}" . \
  && git sparse-checkout init --cone \
  && git sparse-checkout set "${TALKS_SPARSE_DIR}"

COPY nginx/default.conf /etc/nginx/conf.d/default.conf
COPY refresh.sh /refresh.sh

# Master non-root : pid hors /run (root-only), directive user commentée (évite setgid vers 101).
# Caches, logs, dépôt : nginx — pas de setuid/setgid ni CAP dans Kubernetes.
RUN chmod +x /refresh.sh \
  && mkdir -p \
      /var/cache/nginx/client_temp \
      /var/cache/nginx/proxy_temp \
      /var/cache/nginx/fastcgi_temp \
      /var/cache/nginx/uwsgi_temp \
      /var/cache/nginx/scgi_temp \
      /var/log/nginx \
  && chown -R nginx:nginx \
      /var/cache/nginx \
      /var/log/nginx \
      /usr/share/nginx/html \
  && sed -i 's|pid /run/nginx.pid;|pid /tmp/nginx.pid;|g' /etc/nginx/nginx.conf \
  && sed -i 's|pid /run/nginx/nginx.pid;|pid /tmp/nginx.pid;|g' /etc/nginx/nginx.conf \
  && sed -i 's/^[[:space:]]*user nginx;/# user nginx (master non-root)/' /etc/nginx/nginx.conf \
  && mkdir -p /home/nginx \
  && chown nginx:nginx /home/nginx /refresh.sh \
  && su -s /bin/sh nginx -c 'HOME=/home/nginx git config --global --add safe.directory /usr/share/nginx/html'

ENV HOME=/home/nginx

USER nginx

# Port non privilégié ; le Service K8s mappe souvent 80 → 8080.
EXPOSE 8080

CMD sh -c "/refresh.sh & exec nginx -g 'daemon off;'"