Dockerfile.server

ARG API_ENDPOINT_SERVER=https://rosta.fsektionen.se
ARG API_ENDPOINT_TRUSTAUTH=https://rosta.trustauth.fsektionen.se
ARG API_ENDPOINT_SERVER_TO_TRUSTAUTH=https://rustsystem-trustauth:2444
ARG DEV=false

# NOTE: SALT_HEX is different from the value in .env. This value is not secret, only used to maintain uniqueness. It's purposefully different from the development value in order to maintain uniqueness in production.
ARG SALT_HEX=fa592f8bf54e9e6710f9e63699651c9d
ARG KEYGEN_ITERATIONS=200000

FROM node:24-bullseye AS frontend-builder
RUN npm install -g pnpm
WORKDIR /app/frontend
COPY frontend/package.json frontend/pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile
COPY frontend/ .
ARG API_ENDPOINT_SERVER
ARG API_ENDPOINT_TRUSTAUTH
ARG DEV
ARG SALT_HEX
ARG KEYGEN_ITERATIONS
RUN --mount=type=bind,source=.git,target=/app/frontend/.git pnpm run build
RUN ls

FROM rust:1.91-bullseye AS backend-builder
WORKDIR /app
COPY Cargo.server.toml ./Cargo.toml
COPY Cargo.lock ./
COPY rustsystem-server/ ./rustsystem-server/
COPY rustsystem-core/ ./rustsystem-core/
ARG API_ENDPOINT_SERVER
ARG API_ENDPOINT_SERVER_TO_TRUSTAUTH
ARG SALT_HEX
ARG KEYGEN_ITERATIONS
# Now overwrite stubs with real certs and recompile only the crates that embed them.
COPY mtls-prod/ca/ ./mtls/ca/
COPY mtls-prod/server/ ./mtls/server/
RUN touch rustsystem-server/src/main.rs rustsystem-server/src/lib.rs
RUN cargo build --release --bin rustsystem-server

FROM debian:bullseye-slim AS runtime
RUN apt-get update && apt-get install -y \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Copy the built backend binary
COPY --from=backend-builder /app/target/release/rustsystem-server ./rustsystem-server

# Copy the built frontend
COPY --from=frontend-builder /app/frontend/dist ./frontend/dist


# Create a non-root user
RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app
USER appuser

EXPOSE 1443
EXPOSE 1444

CMD ["./rustsystem-server"]