FROM denoland/deno:debian-2.7.14 AS builder

WORKDIR /app

COPY package.json deno.json deno.lock ./
RUN deno install

COPY . .

# PUBLIC_API_BASE_URL is baked at build time via $env/static/public.
ARG PUBLIC_API_BASE_URL=https://api.marktvogt.de
ENV PUBLIC_API_BASE_URL=$PUBLIC_API_BASE_URL

ARG PUBLIC_TURNSTILE_SITE_KEY=1x00000000000000000000AA
ENV PUBLIC_TURNSTILE_SITE_KEY=$PUBLIC_TURNSTILE_SITE_KEY

RUN deno task build

# ─────────────────────────────────────────────
# Runtime — denoland/deno on debian-slim (glibc).
#
# Not alpine: Tailwind 4's @tailwindcss/oxide ships its native binding as an
# optional native dep (@tailwindcss/oxide-linux-x64-musl). Deno's npm shim
# refuses cross-package optional native requires under musl with the error
# "Cannot find native binding". The gnu variant resolves cleanly on glibc,
# so we use debian. `nobody` uid 65534 matches the podSecurityContext
# (group differs: nogroup on debian vs nobody on alpine — uid is what
# matters for fsGroup checks).
#
# serve.ts wraps the auto-generated .deno-deploy/server.ts so PORT / HOST
# env vars are honored (Deno.serve does not read them on its own; the
# generated server.ts hard-codes 0.0.0.0:8000).
FROM denoland/deno:debian-2.7.14

WORKDIR /app

COPY --from=builder /app/.deno-deploy ./.deno-deploy
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package.json /app/deno.json /app/deno.lock /app/serve.ts ./

USER nobody:nogroup

ENV NODE_ENV=production PORT=3000 HOST=0.0.0.0

EXPOSE 3000

CMD ["deno", "run", "-A", "--cached-only", "--no-remote", "serve.ts"]
