ARG BASE_IMAGE=debian:bookworm-slim
FROM ${BASE_IMAGE}
ARG SINGBOX_VERSION=1.12.13
ARG INSTALL_RUNTIME_DEPS=true
ARG INSTALL_SINGBOX=true
COPY dist /app/dist

RUN if [ "${INSTALL_RUNTIME_DEPS}" = "true" ]; then \
        apt-get update \
        && apt-get install -y --no-install-recommends ca-certificates curl iptables ipset iproute2 nodejs dumb-init \
        && rm -rf /var/lib/apt/lists/*; \
    else \
        command -v dumb-init >/dev/null \
        && command -v node >/dev/null \
        && command -v iptables >/dev/null \
        && command -v ipset >/dev/null; \
    fi

RUN if [ "${INSTALL_SINGBOX}" = "true" ]; then \
        set -eux; \
        arch="$(dpkg --print-architecture)"; \
        case "$arch" in \
        amd64) sb_arch="amd64" ;; \
        arm64) sb_arch="arm64" ;; \
        *) echo "Unsupported architecture: $arch" >&2; exit 1 ;; \
        esac; \
        curl -fsSL "https://github.com/SagerNet/sing-box/releases/download/v${SINGBOX_VERSION}/sing-box-${SINGBOX_VERSION}-linux-${sb_arch}.tar.gz" -o /tmp/sing-box.tgz; \
        tar -xzf /tmp/sing-box.tgz -C /tmp; \
        mv "/tmp/sing-box-${SINGBOX_VERSION}-linux-${sb_arch}/sing-box" /usr/local/bin/sing-box; \
        chmod +x /usr/local/bin/sing-box; \
        rm -rf /tmp/sing-box*; \
    else \
        command -v sing-box >/dev/null; \
    fi

WORKDIR /app
COPY package.json /app/package.json
COPY src/server /app/src/server
COPY entrypoint.sh /entrypoint.sh

RUN chmod +x /entrypoint.sh \
    && mkdir -p /etc/sing-box /var/lib/vpn-proxy /var/lib/sing-box

ENV PORT=3456 \
    PROXY_PORT=8080 \
    PROXY_BIND_IP=0.0.0.0 \
    TPROXY_PORT=7895 \
    DIRECT_BYPASS_CACHE=false \
    RULE_SET_DOWNLOAD_DETOUR=vpn \
    DATA_DIR=/var/lib/vpn-proxy \
    SING_BOX_CONFIG=/etc/sing-box/config.json \
    SING_BOX_CACHE=/var/lib/sing-box/cache.db

ENTRYPOINT ["dumb-init", "/entrypoint.sh"]