# EN: Multi-stage Docker build for production-ready microservice
# VI: Multi-stage Docker build cho microservice production-ready

# EN: Base stage with security updates
# VI: Base stage với security updates
FROM node:25-alpine AS base

# EN: Install security updates and required packages
# VI: Cài đặt security updates và packages cần thiết
RUN apk update && apk upgrade && \
    apk add --no-cache \
    libc6-compat \
    dumb-init \
    su-exec \
    && rm -rf /var/cache/apk/*

# EN: Create app directory with correct permissions
# VI: Tạo app directory với permissions đúng
WORKDIR /app
RUN chown node:node /app
USER node

# EN: Dependencies stage - separate for better caching
# VI: Dependencies stage - tách riêng để cache tốt hơn
FROM base AS deps
USER root
RUN chown node:node /app
USER node

# EN: Enable corepack for pnpm
# VI: Enable corepack cho pnpm
RUN corepack enable pnpm

# EN: Copy package files
# VI: Copy package files
COPY --chown=node:node package.json pnpm-lock.yaml* ./

# EN: Install dependencies only (no dev dependencies for smaller image)
# VI: Install dependencies only (không có dev dependencies để image nhỏ hơn)
RUN pnpm install --frozen-lockfile --prod=false && pnpm store prune

# EN: Builder stage - compile TypeScript and generate Prisma client
# VI: Builder stage - compile TypeScript và generate Prisma client
FROM base AS builder
USER root
RUN chown node:node /app
USER node

# EN: Enable corepack
# VI: Enable corepack
RUN corepack enable pnpm

# EN: Copy dependencies from deps stage
# VI: Copy dependencies từ deps stage
COPY --from=deps --chown=node:node /app/node_modules ./node_modules

# EN: Copy source code
# VI: Copy source code
COPY --chown=node:node . .

# EN: Build application
# VI: Build application
RUN pnpm prisma generate && \
    pnpm build && \
    pnpm prune --prod

# EN: Production stage - minimal runtime image
# VI: Production stage - minimal runtime image
FROM base AS runner

# EN: Install runtime dependencies only
# VI: Install runtime dependencies only
USER root
RUN apk add --no-cache \
    curl \
    && rm -rf /var/cache/apk/*

# EN: Create non-root user for security
# VI: Tạo non-root user cho security
RUN addgroup -g 1001 -S nodejs && \
    adduser -S microservice -u 1001

# EN: Create necessary directories with correct permissions
# VI: Tạo necessary directories với permissions đúng
RUN mkdir -p /app/dist /app/node_modules /app/prisma && \
    chown -R microservice:nodejs /app

# EN: Switch to non-root user
# VI: Switch sang non-root user
USER microservice

# EN: Copy built application from builder stage
# VI: Copy built application từ builder stage
COPY --from=builder --chown=microservice:nodejs /app/dist ./dist
COPY --from=builder --chown=microservice:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=microservice:nodejs /app/package.json ./
COPY --from=builder --chown=microservice:nodejs /app/prisma ./prisma

# EN: Add health check
# VI: Thêm health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:5000/health/live || exit 1

# EN: Expose port
# VI: Expose port
EXPOSE 5000

# EN: Use dumb-init to handle signals properly
# VI: Sử dụng dumb-init để handle signals properly
ENTRYPOINT ["dumb-init", "--"]

# EN: Start application
# VI: Start application
CMD ["node", "dist/main.js"]