FROM node:20-slim AS builder
WORKDIR /app
RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
RUN git clone https://github.com/tashfeenahmed/freellmapi.git .
RUN npm install
RUN npm run build

# --- 生产运行环境 ---
FROM node:20-slim AS runner
WORKDIR /app

# 1. 安装用于网络转发和基础认证的 caddy（极其轻量且极其安全）
RUN apt-get update && apt-get install -y debian-keyring debian-archive-keyring apt-transport-https curl \
    && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | apt-key add - \
    && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.yandex.net/caddy/stable.list \
    && apt-get update && apt-get install -y caddy && rm -rf /var/lib/apt/lists/*

COPY --from=builder /app ./
RUN mkdir -p /data/freellm

# 2. 路由修复
RUN cp -r client/dist/* server/dist/public/ 2>/dev/null || cp -r client/dist/* server/public/ 2>/dev/null || true

# 3. 环境变量（让 FreeLLMAPI 后端改退到内部 8080 端口，把 7860 留给密码锁）
EXPOSE 7860
ENV PORT=8080
ENV NODE_ENV=production
ENV DATABASE_URL="file:/data/database.sqlite"

# 4. 【核心绝杀】：动态生成密码锁配置文件，并启动全套服务
CMD ["sh", "-c", "rm -rf /app/server/data && ln -s /data/freellm /app/server/data && \
    # 如果你在 HF Settings 里配了这两个 secret，就用你配的；没配就默认 admin/admin123 \
    USER=${SPACE_BASIC_AUTH_USERNAME:-admin} && \
    PASS=${SPACE_BASIC_AUTH_PASSWORD:-admin123} && \
    HASHED_PASS=$(caddy hash-password --plaintext \"$PASS\") && \
    # 现场印制 Caddyfile 配置文件 \
    echo \":7860 {\" > Caddyfile && \
    echo \"  basic_auth / { \" >> Caddyfile && \
    echo \"    $USER $HASHED_PASS\" >> Caddyfile && \
    echo \"  }\" >> Caddyfile && \
    echo \"  reverse_proxy localhost:8080\" >> Caddyfile && \
    echo \"}\" >> Caddyfile && \
    # 动态计算密钥并后台启动 API 引擎 \
    export ENCRYPTION_KEY=$(node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\") && \
    node server/dist/index.js & \
    # 前台启动密码锁守护进程 \
    caddy run --config Caddyfile\"]