# =============================================================================
# Platform container — Rocky Linux 9
# Runs: Apache (HTTPS) + mod-reqin-log + sentinel + correlator
#
# Multi-stage:
#   1. go-builder  — compile correlator (static, no CGO) on golang image
#   2. platform    — Rocky Linux 9: builds sentinel (CGO+libpcap), mod-reqin-log,
#                    installs Apache, runs everything
#
# sentinel is compiled on Rocky so it links against the same libpcap as runtime.
# This mirrors RPM packaging where build and target are the same distro.
# =============================================================================

# ---------------------------------------------------------------------------
# Stage 1: Build correlator (static binary, no CGO — distro-independent)
# ---------------------------------------------------------------------------
FROM golang:1.24 AS go-builder

WORKDIR /src
COPY go.work go.work.sum* ./
COPY shared/go/ja4common/ shared/go/ja4common/
COPY services/correlator/ services/correlator/
COPY services/sentinel/ services/sentinel/

RUN cd services/correlator && \
    CGO_ENABLED=0 go build -ldflags="-s -w" -o /out/correlator ./cmd/logcorrelator

# ---------------------------------------------------------------------------
# Stage 2: Rocky Linux 9 — build sentinel + mod-reqin-log, then run everything
# ---------------------------------------------------------------------------
FROM rockylinux:9

# Install build deps + runtime deps
RUN dnf install -y --allowerasing \
        httpd httpd-devel mod_ssl \
        apr-devel apr-util-devel \
        gcc make redhat-rpm-config \
        libpcap \
        golang \
        procps-ng curl \
    && dnf install -y --enablerepo=crb libpcap-devel \
    && dnf clean all

# -- Build sentinel on Rocky (CGO + libpcap from Rocky repos) ---------------
COPY go.work go.work.sum* /tmp/sentinel-build/
COPY shared/go/ja4common/ /tmp/sentinel-build/shared/go/ja4common/
COPY services/sentinel/ /tmp/sentinel-build/services/sentinel/
COPY services/correlator/ /tmp/sentinel-build/services/correlator/
RUN cd /tmp/sentinel-build/services/sentinel && \
    CGO_ENABLED=1 go build -ldflags="-s -w" -o /usr/local/bin/sentinel ./cmd/ja4sentinel && \
    rm -rf /tmp/sentinel-build /root/go

# -- Build mod-reqin-log from source -----------------------------------------
COPY services/mod-reqin-log/src/ /tmp/mod-reqin-log/src/
COPY services/mod-reqin-log/Makefile /tmp/mod-reqin-log/Makefile
RUN cd /tmp/mod-reqin-log && make all && \
    cp modules/mod_reqin_log.so /usr/lib64/httpd/modules/ 2>/dev/null || \
    cp build/.libs/mod_reqin_log.so /usr/lib64/httpd/modules/ && \
    rm -rf /tmp/mod-reqin-log

# -- Copy correlator from builder (static binary, no deps) -------------------
COPY --from=go-builder /out/correlator /usr/local/bin/correlator

# -- Create runtime directories ----------------------------------------------
RUN mkdir -p /var/run/logcorrelator \
             /var/log/logcorrelator \
             /var/log/ja4sentinel \
             /etc/logcorrelator \
             /etc/ja4sentinel

# -- Correlator config -------------------------------------------------------
COPY tests/integration/platform/correlator.yml /etc/logcorrelator/correlator.yml

# -- Sentinel config ----------------------------------------------------------
COPY tests/integration/platform/sentinel.yml /etc/ja4sentinel/config.yml

# -- Apache config (HTTPS + mod-reqin-log) ------------------------------------
COPY tests/integration/platform/httpd-integration.conf /etc/httpd/conf.d/integration.conf

# -- Generate self-signed TLS certificate -------------------------------------
RUN openssl req -x509 -nodes -days 365 \
        -subj "/CN=platform.test" \
        -newkey rsa:2048 \
        -keyout /etc/pki/tls/private/localhost.key \
        -out /etc/pki/tls/certs/localhost.crt

# -- Simple health endpoint for Apache ---------------------------------------
RUN mkdir -p /var/www/html && \
    echo '{"status":"ok"}' > /var/www/html/health

# -- Entrypoint (manages all processes) --------------------------------------
COPY tests/integration/platform/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

EXPOSE 80 443

CMD ["/entrypoint.sh"]
