# syntax=docker/dockerfile:1

# ── DEPS ───────────────────────────────────────────────────────────────────────
FROM oven/bun:1-alpine AS deps
WORKDIR /app
RUN apk update && apk add --no-cache libc6-compat

COPY package.json bun.lock* bun.lockb* .npmrc* ./

RUN --mount=type=cache,id=bun,target=/root/.bun/install/cache \
  bun install --frozen-lockfile

# ── BUILDER ────────────────────────────────────────────────────────────────────
FROM node:25-alpine AS builder
WORKDIR /app
RUN apk update && apk add --no-cache libc6-compat

ENV CI=true
ENV ENV_PATH=/app/.env

COPY --from=deps /app/node_modules ./node_modules
COPY . .

RUN --mount=type=secret,id=env,dst=/app/.env \
  --mount=type=secret,id=db_ca,dst=/certs/ca.crt \
  --mount=type=secret,id=db_client_key,dst=/certs/pg-client.key \
  --mount=type=secret,id=db_client_crt,dst=/certs/pg-client.crt \
  --mount=type=secret,id=valkey_client_key,dst=/certs/valkey-client.key \
  --mount=type=secret,id=valkey_client_crt,dst=/certs/valkey-client.crt \
  --mount=type=cache,id=nextjs-cache,target=/app/.next/cache \
  npm run ci

# ── RUNNER ─────────────────────────────────────────────────────────────────────
FROM node:25-alpine AS runner
WORKDIR /app

ENV NODE_ENV=production
ENV ENV_PATH=/app/.env

RUN addgroup --system --gid 1001 nodejs \
  && adduser --system --uid 1001 nextjs

COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=builder --chown=nextjs:nodejs /app/public ./public

USER nextjs

CMD ["node", "server.js"]