ARG NODE_BUILD_IMAGE=node:20-alpine
ARG RUNTIME_IMAGE=debian:bookworm-slim

FROM ${NODE_BUILD_IMAGE} AS web-build
WORKDIR /src
COPY package.json package-lock.json ./
RUN npm ci
COPY index.html vite.config.js ./
COPY src/web ./src/web
RUN npm run build

FROM ${RUNTIME_IMAGE}
ARG SINGBOX_VERSION=1.12.13

RUN apt-get update \
    && apt-get install -y --no-install-recommends ca-certificates curl dumb-init nodejs tar \
    && rm -rf /var/lib/apt/lists/*

RUN set -eux; \
    arch="$(dpkg --print-architecture)"; \
    case "$arch" in \
      amd64) sb_arch="amd64" ;; \
      arm64) sb_arch="arm64" ;; \
      *) echo "Unsupported architecture: $arch" >&2; exit 1 ;; \
    esac; \
    curl -fsSL "https://github.com/SagerNet/sing-box/releases/download/v${SINGBOX_VERSION}/sing-box-${SINGBOX_VERSION}-linux-${sb_arch}.tar.gz" -o /tmp/sing-box.tgz; \
    tar -xzf /tmp/sing-box.tgz -C /tmp; \
    mv "/tmp/sing-box-${SINGBOX_VERSION}-linux-${sb_arch}/sing-box" /usr/local/bin/sing-box; \
    chmod +x /usr/local/bin/sing-box; \
    rm -rf /tmp/sing-box*

WORKDIR /app
COPY --from=web-build /src/dist /app/dist
COPY package.json /app/package.json
COPY src/server /app/src/server
COPY entrypoint.client.sh /entrypoint.client.sh

RUN chmod +x /entrypoint.client.sh \
    && mkdir -p /etc/sing-box /var/lib/vpn-proxy /var/lib/sing-box

ENV APP_MODE=client \
    PORT=3456 \
    PROXY_PORT=8080 \
    PROXY_BIND_IP=0.0.0.0 \
    DATA_DIR=/var/lib/vpn-proxy \
    SING_BOX_CONFIG=/etc/sing-box/config.json \
    SING_BOX_CACHE=/var/lib/sing-box/cache.db \
    RULE_SET_DOWNLOAD_DETOUR=vpn \
    ROUTING_RU_DIRECT=true \
    LOG_LEVEL=info

EXPOSE 3456 8080

ENTRYPOINT ["dumb-init", "/entrypoint.client.sh"]