FROM node:24.14.1-alpine

RUN apk add --no-cache ca-certificates \
 && apk upgrade --no-cache \
 && addgroup -S app \
 && adduser -S app -G app -u 31337 -h /app/ \
 && chown -R app:app /app/

USER app
WORKDIR /app
ENV NODE_ENV production
ENV MODE server

COPY package.json /app/
COPY dist/ /app/dist/

USER 31337
ENV LISTEN_HOST="::" \
    LISTEN_PORT="8080" \
    SSR_ONLY="false" \
    SESSIONS_SECRET="changeme" \
    AUTH_METHOD="none" \
    OIDC_ISSUER="https://keycloak/realms/demo/" \
    OIDC_CLIENT_ID="app" \
    OIDC_CLIENT_SECRET="" \
    OIDC_REDIRECT_URI="https://localhost" \
    AUTH_HEADER_USERNAME="x-auth-username" \
    AUTH_HEADER_GROUPS="x-auth-groups" \
    AUTH_HEADER_ROLES="x-auth-roles"
EXPOSE ${LISTEN_PORT:-8080}
HEALTHCHECK CMD wget -q -O /dev/null http://localhost/healthz:${LISTEN_PORT} || exit 1
CMD ["node", "."]
