# Global ARGs shared by all stages
ARG DEBIAN_FRONTEND=noninteractive
ARG GOPATH=/usr/local/go

### first stage - builder ###
FROM debian:trixie-slim AS builder

ARG DEBIAN_FRONTEND
ARG GOPATH
ENV GOPATH=${GOPATH}

# install debos build and unit-test dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        gcc \
        git \
        golang-go \
        libc6-dev \
        libostree-dev \
        unzip && \
    rm -rf /var/lib/apt/lists/*

# Optionally add host CA certificates for environments with MITM proxies
# Usage: DOCKER_BUILDKIT=1 docker build --secret id=cacert,src=/etc/ssl/certs/ca-certificates.crt ...
RUN --mount=type=secret,id=cacert,target=/tmp/host-ca-certificates.crt \
    if [ -f /tmp/host-ca-certificates.crt ]; then \
        cp /tmp/host-ca-certificates.crt /usr/local/share/ca-certificates/host-ca-certificates.crt && \
        update-ca-certificates; \
    fi

# Build debos
ARG DEBOS_VER
COPY . $GOPATH/src/github.com/go-debos/debos
WORKDIR $GOPATH/src/github.com/go-debos/debos/cmd/debos
RUN go install -ldflags="-X main.Version=${DEBOS_VER}" ./...

# Install the latest archlinux-keyring, since the one in Debian is bound
# to get outdated sooner or later.
# WARNING: returning to the debian package will break the pacstrap action
COPY docker/get-archlinux-keyring.sh /
RUN /get-archlinux-keyring.sh /arch-keyring

### second stage - runner ###
FROM debian:trixie-slim AS runner-amd64
RUN apt-get update && \
    apt-get install -y --no-install-recommends initramfs-tools && \
    rm -rf /var/lib/apt/lists/*
RUN rm /etc/kernel/postinst.d/*
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        linux-image-amd64 \
        qemu-system-x86 && \
    rm -rf /var/lib/apt/lists/*

FROM debian:trixie-slim AS runner-arm64
RUN apt-get update && \
    apt-get install -y --no-install-recommends initramfs-tools && \
    rm -rf /var/lib/apt/lists/*
RUN rm /etc/kernel/postinst.d/*
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        linux-image-arm64 \
        qemu-system-arm \
        # fixes: qemu-system-aarch64: failed to find romfile "efi-virtio.rom"
        ipxe-qemu && \
    rm -rf /var/lib/apt/lists/*

FROM runner-${TARGETARCH} AS runner

ARG DEBIAN_FRONTEND
ARG GOPATH

# Set HOME to a writable directory in case something wants to cache things
ENV HOME=/tmp

LABEL org.label-schema.name="debos"
LABEL org.label-schema.description="Debian OS builder"
LABEL org.label-schema.vcs-url="https://github.com/go-debos/debos"
LABEL org.label-schema.docker.cmd='docker run \
  --rm \
  --interactive \
  --tty \
  --device /dev/kvm \
  --user $(id -u) \
  --workdir /recipes \
  --mount "type=bind,source=$(pwd),destination=/recipes" \
  --security-opt label=disable'

# debos runtime dependencies
# ca-certificates is required to validate HTTPS certificates when getting debootstrap release file
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        apt-transport-https \
        binfmt-support \
        bmap-tools \
        btrfs-progs \
        busybox \
        bzip2 \
        ca-certificates \
        debian-ports-archive-keyring \
        debootstrap \
        mmdebstrap \
        dosfstools \
        e2fsprogs \
        equivs \
        fdisk \
        f2fs-tools \
        git \
        gzip \
        pigz \
        libostree-1-1 \
        openssh-client \
        parted \
        pkg-config \
        qemu-user-static \
        qemu-utils \
        rsync \
        systemd \
        systemd-container \
        systemd-resolved \
        u-boot-tools \
        unzip \
        xfsprogs \
        xz-utils \
        zip \
        zstd \
        makepkg \
        pacman-package-manager \
        arch-install-scripts \
        arch-test && \
    rm -rf /var/lib/apt/lists/*

COPY --from=builder $GOPATH/bin/debos /usr/local/bin/debos

# Install the latest archlinux-keyring, since the one in Debian is bound
# to get outdated sooner or later.
# WARNING: returning to the debian package will break the pacstrap action
COPY --from=builder /arch-keyring /usr/share/keyrings

ENTRYPOINT ["/usr/local/bin/debos"]
