# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright (C) 2025 Jesus E.
#
# This file is part of code-server-dind.
# This program is licensed under the GNU GPL version 3 or (at your option) any later version.
# See the LICENSE file or https://www.gnu.org/licenses/gpl-3.0.txt for more details.

FROM debian:bookworm-slim

# Build-time architecture detection
ARG TARGETARCH
ENV ARCH=${TARGETARCH:-amd64}
ENV DEBIAN_FRONTEND=noninteractive
ENV KUBECTL_VERSION=1.33.0
ENV HELM_VERSION=3.18.4
ENV K9S_VERSION=0.50.8
ENV KUBECTL_DATE=2025-05-01
ENV TFLINT_VERSION=0.58.1

# User config
ENV DOCKER_USER=coder \
    UID=1000 \
    GID=1000 \
    PASSWORD=undefined \
    HASHED_PASSWORD=undefined

# Base packages + Trivy + Docker
RUN set -eux; \
  apt-get update && \
  apt-get upgrade -y && \
  apt-get install --no-install-recommends -y \
    bash bash-completion ca-certificates curl dbus default-jre doas dos2unix dumb-init file \
    fuse3 gh git gnupg golang iproute2 iptables jq lsb-release lsof make nano net-tools nodejs npm \
    openssh-client passwd patch pipx python3 python3-pip python3-venv shellcheck siege \
    sudo tar tree uidmap unzip virtualenv wget xz-utils; \
  \
  # Trivy
  curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor > /usr/share/keyrings/trivy.gpg && \
  echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" > /etc/apt/sources.list.d/trivy.list && \
  apt-get update && apt-get install --no-install-recommends -y trivy; \
  \
  # Docker
  install -m 0755 -d /etc/apt/keyrings && \
  curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc && \
  chmod a+r /etc/apt/keyrings/docker.asc && \
  echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable" > /etc/apt/sources.list.d/docker.list && \
  apt-get update && \
  apt-get install --no-install-recommends -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin; \
  \
  apt-get clean && rm -rf /var/lib/apt/lists/*

# AWS CLI (handle arch manually)
RUN set -e; \
    case "$ARCH" in \
      amd64) AWS_ARCH="x86_64" ;; \
      arm64) AWS_ARCH="aarch64" ;; \
      *) echo "Unsupported ARCH: $ARCH" && exit 1 ;; \
    esac && \
    curl -o awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-${AWS_ARCH}.zip" && \
    unzip awscliv2.zip && ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
    rm -rf awscliv2.zip aws/

# kubectl
RUN curl -o kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/${KUBECTL_VERSION}/${KUBECTL_DATE}/bin/linux/${ARCH}/kubectl && \
    chmod +x kubectl && mv kubectl /usr/local/bin/

# eksctl
RUN curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Linux_${ARCH}.tar.gz" && \
    curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep "Linux_${ARCH}" | sha256sum --check && \
    tar -xzf eksctl_Linux_${ARCH}.tar.gz -C /tmp && \
    mv /tmp/eksctl /usr/local/bin && rm eksctl_Linux_${ARCH}.tar.gz

# Helm
RUN curl -sLO "https://get.helm.sh/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz" && \
    tar -xzf helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz && \
    mv linux-${ARCH}/helm /usr/local/bin/ && \
    rm -rf linux-${ARCH} helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz

# k9s
RUN curl -sLO "https://github.com/derailed/k9s/releases/download/v${K9S_VERSION}/k9s_linux_${ARCH}.deb" && \
    dpkg -i k9s_linux_${ARCH}.deb && rm k9s_linux_${ARCH}.deb

# TFlint
RUN curl -sLO "https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_${ARCH}.zip" && \
    unzip -q tflint_linux_${ARCH}.zip && \
    mv tflint /usr/local/bin/ && \
    rm tflint_linux_${ARCH}.zip

# code-server (auto-detects arch)
RUN curl -fsSL https://code-server.dev/install.sh | sh

# Custom shell prompt
RUN curl -Ls https://git.fridu.us/heckyel/hyperterm/raw/branch/master/install.sh -o "$HOME/install.sh" && \
    bash "$HOME/install.sh" -s && rm "$HOME/install.sh"

# Pre-commit config
COPY .pre-commit-config.yaml /usr/local/share/default-pre-commit-config.yaml
COPY .setup-precommit.sh /usr/local/bin/setup-precommit
RUN chmod +x /usr/local/bin/setup-precommit

# Gitleaks
ENV GITLEAKS_VERSION="8.27.2"
RUN set -e; \
    case "$ARCH" in \
      amd64) GITLEAKS_ARCH="x64" ;; \
      arm64) GITLEAKS_ARCH="arm64" ;; \
      *) echo "Unsupported ARCH: $ARCH" && exit 1 ;; \
    esac && \
    curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${GITLEAKS_ARCH}.tar.gz" -o gitleaks.tar.gz && \
    tar -xzf gitleaks.tar.gz gitleaks && \
    mv gitleaks /usr/local/bin/gitleaks && chmod +x /usr/local/bin/gitleaks && \
    rm gitleaks.tar.gz

# BFG
ENV BFG_VERSION=1.15.0
RUN curl -L -o /usr/local/bin/bfg.jar "https://repo1.maven.org/maven2/com/madgag/bfg/${BFG_VERSION}/bfg-${BFG_VERSION}.jar" && \
    printf '#!/bin/sh\nexec java -jar /usr/local/bin/bfg.jar "$@"\n' > /usr/local/bin/bfg && \
    chmod +x /usr/local/bin/bfg

COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

VOLUME ["/home/coder"]
EXPOSE 8080

ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["/usr/local/bin/entrypoint.sh"]