# Multi-stage: build Vite app then serve with nginx (HF Space port 7860, UID 1000)
# Stage 1: Build
FROM node:20-alpine AS builder

WORKDIR /app

ARG VITE_HF_TOKEN
ARG VITE_TINYLLAMA_PROVIDER=auto
ARG VITE_TINYLLAMA_API_URL
ARG VITE_TINYLLAMA_VERCEL_URL
ARG VITE_FIREBASE_API_KEY
ARG VITE_FIREBASE_AUTH_DOMAIN
ARG VITE_FIREBASE_PROJECT_ID
ARG VITE_FIREBASE_STORAGE_BUCKET
ARG VITE_FIREBASE_MESSAGING_SENDER_ID
ARG VITE_FIREBASE_APP_ID
ENV VITE_HF_TOKEN=$VITE_HF_TOKEN \
    VITE_TINYLLAMA_PROVIDER=$VITE_TINYLLAMA_PROVIDER \
    VITE_TINYLLAMA_API_URL=$VITE_TINYLLAMA_API_URL \
    VITE_TINYLLAMA_VERCEL_URL=$VITE_TINYLLAMA_VERCEL_URL \
    VITE_FIREBASE_API_KEY=$VITE_FIREBASE_API_KEY \
    VITE_FIREBASE_AUTH_DOMAIN=$VITE_FIREBASE_AUTH_DOMAIN \
    VITE_FIREBASE_PROJECT_ID=$VITE_FIREBASE_PROJECT_ID \
    VITE_FIREBASE_STORAGE_BUCKET=$VITE_FIREBASE_STORAGE_BUCKET \
    VITE_FIREBASE_MESSAGING_SENDER_ID=$VITE_FIREBASE_MESSAGING_SENDER_ID \
    VITE_FIREBASE_APP_ID=$VITE_FIREBASE_APP_ID

COPY package.json package-lock.json ./
RUN npm ci

COPY . .
ENV NODE_ENV=production
RUN npm run build

# Stage 2: Serve (HF Spaces run as UID 1000)
FROM nginx:1.27-alpine

LABEL maintainer="text-transformer" \
      description="T3XT TR4N5F0RM3R – Vite app + nginx, HF inference proxy on /api/hf-inference, TinyLlama/Ollama support"

RUN adduser -D -u 1000 appuser

COPY --from=builder /app/dist /usr/share/nginx/html
COPY entrypoint.sh /entrypoint.sh

RUN echo 'server { \
    listen 7860; \
    location /api/hf-inference/ { \
        resolver 127.0.0.11 8.8.8.8 valid=30s; \
        set $hf_upstream https://router.huggingface.co; \
        rewrite ^/api/hf-inference/(.*)$ /$1 break; \
        proxy_pass $hf_upstream; \
        proxy_http_version 1.1; \
        proxy_set_header Host router.huggingface.co; \
        proxy_set_header Authorization "Bearer __VITE_HF_TOKEN__"; \
        proxy_pass_request_headers on; \
        proxy_buffering off; \
        proxy_ssl_server_name on; \
        proxy_ssl_protocols TLSv1.2 TLSv1.3; \
        proxy_connect_timeout 30s; \
        proxy_read_timeout 120s; \
        proxy_send_timeout 120s; \
        proxy_intercept_errors off; \
    } \
    location / { \
        root /usr/share/nginx/html; \
        index index.html index.htm; \
        try_files $uri $uri/ /index.html; \
    } \
}' > /etc/nginx/conf.d/default.conf.tpl
RUN sed 's#__VITE_HF_TOKEN__##g' /etc/nginx/conf.d/default.conf.tpl > /etc/nginx/conf.d/default.conf

RUN chmod +x /entrypoint.sh && \
    chown -R appuser:appuser /usr/share/nginx/html /var/cache/nginx /var/log/nginx /etc/nginx/conf.d && \
    touch /var/run/nginx.pid && chown appuser:appuser /var/run/nginx.pid

USER appuser

EXPOSE 7860

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=2 \
  CMD nginx -t 2>/dev/null || exit 1

ENTRYPOINT ["/entrypoint.sh"]