# Multi-stage build for provisioning-orchestrator
# Generated from Nickel template - DO NOT EDIT DIRECTLY
# Source: provisioning/schemas/platform/templates/docker/Dockerfile.chef.ncl

# ============================================================================
# Stage 1: PLANNER - Generate dependency recipe
# ============================================================================
FROM rust:1.82-trixie AS planner

WORKDIR /workspace

# Install cargo-chef
RUN cargo install cargo-chef --version 0.1.67

# Copy workspace manifests
COPY Cargo.toml Cargo.lock ./
COPY crates ./crates
COPY daemon-cli ./daemon-cli
COPY secretumvault ./secretumvault
COPY prov-ecosystem ./prov-ecosystem
COPY stratumiops ./stratumiops

# Generate recipe.json (dependency graph)
RUN cargo chef prepare --recipe-path recipe.json --bin provisioning-orchestrator

# ============================================================================
# Stage 2: CACHER - Build dependencies only
# ============================================================================
FROM rust:1.82-trixie AS cacher

WORKDIR /workspace

# Install build dependencies
RUN apt-get update && apt-get install -y \
    pkg-config \
    libssl-dev \
    && rm -rf /var/lib/apt/lists/*

# Install cargo-chef
RUN cargo install cargo-chef --version 0.1.67

# sccache disabled

# Copy recipe from planner
COPY --from=planner /workspace/recipe.json recipe.json

# Build dependencies - This layer will be cached
RUN cargo chef cook --release --recipe-path recipe.json

# ============================================================================
# Stage 3: BUILDER - Build source code
# ============================================================================
FROM rust:1.82-trixie AS builder

WORKDIR /workspace

# Install build dependencies
RUN apt-get update && apt-get install -y \
    pkg-config \
    libssl-dev \
    && rm -rf /var/lib/apt/lists/*

# sccache disabled

# Copy cached dependencies from cacher stage
COPY --from=cacher /workspace/target target
COPY --from=cacher /usr/local/cargo /usr/local/cargo

# Copy source code
COPY Cargo.toml Cargo.lock ./
COPY crates ./crates
COPY daemon-cli ./daemon-cli
COPY secretumvault ./secretumvault
COPY prov-ecosystem ./prov-ecosystem
COPY stratumiops ./stratumiops

# Build release binary with parallelism
ENV CARGO_BUILD_JOBS=4
RUN cargo build --release --package provisioning-orchestrator

# ============================================================================
# Stage 4: RUNTIME - Minimal runtime image
# ============================================================================
FROM debian:trixie-slim

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    ca-certificates \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN useradd -m -u 1000 provisioning && \
    mkdir -p /data /var/log/provisioning-orchestrator && \
    chown -R provisioning:provisioning /data /var/log/provisioning-orchestrator

# Copy binary from builder
COPY --from=builder /workspace/target/release/provisioning-orchestrator /usr/local/bin/provisioning-orchestrator
RUN chmod +x /usr/local/bin/provisioning-orchestrator

COPY crates/provisioning-orchestrator/config.defaults.toml /etc/provisioning/config.defaults.toml

# Switch to non-root user
USER provisioning
WORKDIR /app

# Expose service port
EXPOSE 9090

# Environment variables
ENV RUST_LOG=info
ENV DATA_DIR=/data

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
    CMD curl -f http://localhost:9090/health || exit 1

# Run the binary
CMD ["provisioning-orchestrator"]
