# ====== Stage 1: Builder image ======
FROM fedora:latest AS builder

RUN dnf5 update -y && dnf install -y git golang

RUN git clone https://github.com/rfjakob/gocryptfs.git

WORKDIR /gocryptfs

RUN ./build-without-openssl.bash

# ====== Stage 2: Server image ======
FROM quay.io/fedora/fedora-silverblue:43

COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs

COPY gpg-keys/* /keys/

# Import keys, install ZFS repository & build deps & zfs
RUN rpm --import \
      /keys/nvidia-gpgkey \
      /keys/OpenZFS \
      /keys/Smallstep \
      /keys/zrepl-rpm-pkgs \
      /keys/RPM-GPG-KEY-rpmfusion-free-fedora-2020 \
      /keys/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 \
      /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
    rm -rf /keys && \
    dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm \
      https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
      https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm && \
    dnf5 install -y \
      kernel-devel kernel-devel-matched kernel-headers kernel-srpm-macros && \
    dnf5 install -y zfs && \
    dkms autoinstall -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
    dnf5 clean all

# Install smallstep, nvidia & zrepl repository
COPY supermicro-x10drh/*.repo /etc/yum.repos.d/

RUN dnf5 install -y \
      akmods \
      ansible \
      borgbackup \
      certbot \
      distrobox \
      fail2ban \
      fuse-encfs \
      fuse-sshfs \
      hddtemp \
      htop \
      iftop \
      igt-gpu-tools \
      iotop \
      ipmitool \
      libnvidia-container-tools \
      libnvidia-container1 \
      libvirt \
      lm_sensors \
      net-tools \
      netcat \
      nginx \
      nut \
      nvidia-container-toolkit \
      nvidia-container-toolkit-base \
      pv \
      python3-certbot-nginx \
      qemu-kvm \
      rclone \
      screen \
      smartmontools \
      step-cli \
      strace \
      stress-ng \
      telnet \
      vim \
      zrepl-v0.6.0-1.x86_64 && \
    dnf5 clean all

# TODO: Remove this `|| true` hack once post scriptlets no longer make dnf exit with non-zero
RUN dnf5 install -y \
      akmod-nvidia || true && \
      dnf5 clean all
# TODO: Remove these unnecessary checks to make sure the packages above actually got installed. rpm exits non-zero if the package is not installed and aborts the Containerfile build
RUN rpm -q akmod-nvidia

# Build nvidia akmod with no special arguments - defaults to open kernel driver for newer hardware
RUN mkdir -p /var/log/akmods /var/cache/akmods/nvidia /var/tmp && \
    chmod 777 /var/tmp && \
    /usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"

# Cleanup image for linting
RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
    test -f /usr/lib/sysusers.d/qat.conf || echo -e 'g qat 995' > /usr/lib/sysusers.d/qat.conf

# The first check makes sure that we have exactly 6 gpg pubkeys trusted in the rpmdb (the ones from the base image).
# Any more than that means that dnf automatically added a new one, which is shady!
# Then: cleanup image for linting
# Finally: verify image is good
RUN [[ 6 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
    rm -rf /var /boot && mkdir /var /boot && \
    bootc container lint --fatal-warnings --skip baseimage-composefs