# ====== Stage 1: Builder image ======
FROM fedora:latest AS builder

RUN dnf5 update -y && dnf install -y git golang

RUN git clone https://github.com/rfjakob/gocryptfs.git

WORKDIR /gocryptfs

RUN ./build-without-openssl.bash

# ====== Stage 2: Server image ======
FROM quay.io/fedora/fedora-bootc:43

COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs

COPY gpg-keys/* /keys/

# Import keys, install ZFS repository & build deps & zfs
RUN rpm --import \
      /keys/OpenZFS \
      /keys/Smallstep \
      /keys/zrepl-rpm-pkgs \
      /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
    rm -rf /keys && \
    dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm && \
    dnf5 install -y \
      kernel-devel kernel-devel-matched kernel-headers kernel-srpm-macros && \
    dnf5 install -y zfs && \
    dkms autoinstall -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
    dnf5 clean all

# Install smallstep & zrepl repository
COPY supermicro-x10drh/*.repo /etc/yum.repos.d/

RUN dnf5 install -y \
      ansible \
      borgbackup \
      certbot \
      distrobox \
      fail2ban \
      fuse-encfs \
      fuse-sshfs \
      hddtemp \
      htop \
      iftop \
      iotop \
      ipmitool \
      libvirt \
      lm_sensors \
      net-tools \
      netcat \
      nginx \
      nut \
      pv \
      python3-certbot-nginx \
      qemu-kvm \
      rclone \
      screen \
      smartmontools \
      step-cli \
      strace \
      stress-ng \
      telnet \
      vim \
      zrepl-v0.6.0-1.x86_64 && \
    dnf5 clean all

# Cleanup image for linting
RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
    test -f /usr/lib/sysusers.d/qat.conf || echo -e 'g qat 995' > /usr/lib/sysusers.d/qat.conf

# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones from the base image).
# Any more than that means that dnf automatically added a new one, which is shady!
# Then: cleanup image for linting
# Finally: verify image is good
RUN [[ 4 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
    rm -rf /var /boot && mkdir /var /boot && \
    bootc container lint --fatal-warnings --skip baseimage-composefs
