ARG GOLANG_IMAGE=golang:1.22-alpine3.19
ARG FFMPEG_IMAGE=datarhei/base:alpine-ffmpeg-latest

FROM --platform=$BUILDPLATFORM $GOLANG_IMAGE AS builder

RUN apk add git make

# Cache go module downloads separately from source code.
# This layer only rebuilds when go.mod/go.sum/vendor change.
WORKDIR /dist/core
COPY go.mod go.sum ./
COPY vendor/ ./vendor/

# Now copy source and build. This layer rebuilds on any .go file change.
# Do NOT include local configuration or secret files in the build context.
# Ensure your .dockerignore excludes config files (e.g. config.json, v1.json, .env).
COPY . .
# If you need build-time secrets, use BuildKit secrets and `RUN --mount=type=secret,...`.
RUN make release && make import && make ffmigrate

FROM $FFMPEG_IMAGE

COPY --from=builder /dist/core/core /core/bin/core
COPY --from=builder /dist/core/import /core/bin/import
COPY --from=builder /dist/core/ffmigrate /core/bin/ffmigrate
COPY --from=builder /dist/core/mime.types /core/mime.types
COPY --from=builder /dist/core/run.sh /core/bin/run.sh

RUN chmod +x /core/bin/run.sh && mkdir -p /core/config /core/data

ENV CORE_CONFIGFILE=/core/config/config.json
ENV CORE_STORAGE_DISK_DIR=/core/data
ENV CORE_DB_DIR=/core/config
ENV CORE_WHIP_ENABLE=true
ENV CORE_WHIP_ADDRESS=:8555
ENV CORE_WHIP_RTSP_ADDRESS=:8554
# Security note: do not hardcode sensitive configuration or secrets in the image.
# Set runtime flags and secrets when launching the container instead, for example:
#   docker run -e CORE_API_AUTH_ENABLE=false ...
# The following env is intentionally left unset in the image to avoid baking config:
# ENV CORE_API_AUTH_ENABLE=false
ENV CORE_RTMP_ENABLE=true
ENV CORE_SRT_ENABLE=true
ENV CORE_PLAYOUT_ENABLE=true
ENV CORE_METRICS_ENABLE=true
ENV CORE_METRICS_ENABLE_PROMETHEUS=true

EXPOSE 8080/tcp
EXPOSE 8181/tcp
EXPOSE 1935/tcp
EXPOSE 1936/tcp
EXPOSE 6000/udp
EXPOSE 8555/tcp
EXPOSE 8554/tcp

VOLUME ["/core/data", "/core/config"]
ENTRYPOINT ["/core/bin/run.sh"]
WORKDIR /core