computer-playbook/roles/web-app-chess/templates/Dockerfile.j2

# Multi-stage build for castling.club
# Stage 1: build
FROM node:{{ CHESS_VERSION }} AS build

ARG CHESS_REPO_URL={{ CHESS_REPO_URL }}
ARG CHESS_REPO_REF={{ CHESS_REPO_REF }}

RUN apt-get update && apt-get install -y --no-install-recommends \
    git ca-certificates openssl dumb-init python3 build-essential \
 && rm -rf /var/lib/apt/lists/*

WORKDIR /src
RUN git clone --depth 1 --branch "${CHESS_REPO_REF}" "${CHESS_REPO_URL}" ./

# Use Yarn 4 for the build
RUN corepack enable && corepack prepare yarn@4.9.1 --activate && yarn -v
RUN yarn install --immutable --inline-builds
RUN yarn build

# Stage 2: runtime
FROM node:{{ CHESS_VERSION }}

WORKDIR /app

# Minimal runtime packages + dumb-init (+ curl for healthcheck)
RUN apt-get update && apt-get install -y --no-install-recommends \
    bash openssl dumb-init postgresql-client ca-certificates curl \
 && rm -rf /var/lib/apt/lists/*

# Copy built app from builder
COPY --from=build /src /app

# Entrypoint script (root so chmod works in /usr/local/bin)
COPY {{ CHESS_ENTRYPOINT_REL }} {{ CHESS_ENTRYPOINT_INT }}
RUN chmod +x {{ CHESS_ENTRYPOINT_INT }}

# Create data dir for signing keys and Yarn cache; fix ownership
RUN mkdir -p {{ CHESS_APP_DATA_DIR }} /app/.yarn/cache /home/node \
 && chown -R node:node /app /home/node

# Use project-local yarn cache (avoid /root/.yarn)
ENV YARN_ENABLE_GLOBAL_CACHE=false
ENV YARN_CACHE_FOLDER=/app/.yarn/cache

# Switch to non-root and prep yarn 4
USER node
ENV HOME=/home/node
RUN corepack enable && corepack prepare yarn@4.9.1 --activate && yarn -v

EXPOSE {{ container_port }}
ENTRYPOINT ["dumb-init", "--"]
CMD ["{{ CHESS_ENTRYPOINT_INT }}"]