ARG NGINX_BRANCH=vanilla
FROM alpine:3.23 AS base

FROM base AS build_stage_1
ARG NGINX_VERSION LIBRESSL_VERSION
RUN --mount=type=cache,target=/var/cache/apk apk update
RUN --mount=type=cache,target=/var/cache/apk apk add \
	autoconf \
	automake \
	bind-tools \
	binutils \
	build-base \
	ca-certificates \
	cmake \
	gcc \
	gd-dev \
	geoip-dev \
	git \
	gnupg \
	go \
	libc-dev \
	libgcc \
	libstdc++ \
	libtool \
	libxslt-dev \
	linux-headers \
	make \
	ninja \
	pcre \
	pcre-dev \
	perl-dev \
	quickjs-dev \
	su-exec \
	tar \
	tzdata \
	zlib \
	zlib-dev \
	mercurial
RUN adduser -D luser
USER luser
WORKDIR /home/luser

#RUN git clone --depth 1 --branch v4.2.0 https://github.com/libressl/portable.git libressl
#ADD --chown=luser:luser git@github.com:libressl/portable.git#v${LIBRESSL_VERSION} libressl
ADD --chown=luser:luser https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VERSION}.tar.gz libressl.tgz
RUN tar -xzf libressl.tgz && mv libressl-${LIBRESSL_VERSION} libressl && rm libressl.tgz
RUN mkdir -p libressl/build
RUN cmake -G Ninja -B libressl/build -S libressl \ 
	-DCMAKE_BUILD_TYPE=Release \
	-DLIBRESSL_APPS=OFF \
	-DLIBRESSL_SKIP_INSTALL=ON \
	-DENABLE_ASM=OFF \
	-DENABLE_NC=OFF \
	-DLIBRESSL_TESTS=OFF \
	-DBUILD_SHARED_LIBS=OFF
RUN cmake --build libressl/build

FROM build_stage_1 AS build_stage_2_vanilla
ARG NGINX_VERSION
ADD --chown=luser:luser https://github.com/nginx/nginx.git#release-${NGINX_VERSION} /nginx

FROM build_stage_1 AS build_stage_2_woggioni
ARG NGINX_VERSION
ADD --chown=luser:luser git@github.com:woggioni/nginx.git#release-${NGINX_VERSION} /nginx

FROM build_stage_2_${NGINX_BRANCH} AS build
ADD --chown=luser:luser https://github.com/openresty/headers-more-nginx-module.git /ngx_headers_more
ADD --chown=luser:luser https://github.com/google/ngx_brotli.git /ngx_brotli

USER root
WORKDIR /
RUN hg clone http://hg.nginx.org/njs /njs
RUN chown luser:luser -R /njs
USER luser
WORKDIR /home/luser
ADD --chown=luser:luser --chmod=755 ./build.sh ./build.sh
RUN ./build.sh

FROM build_stage_2_${NGINX_BRANCH} AS build-rtmp
ADD --chown=luser:luser https://github.com/arut/nginx-rtmp-module.git /ngx-rtmp-module
USER luser
WORKDIR /home/luser
ADD --chown=luser:luser --chmod=755 ./build-rtmp.sh ./build-rtmp.sh
RUN ./build-rtmp.sh

FROM base AS release
ARG VERSION
ENV NGINX_VERSION=${VERSION}

RUN addgroup -S nginx
RUN adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx

RUN --mount=type=cache,target=/var/cache/apk apk add --virtual .install_deps make perl-dev gettext binutils
RUN --mount=type=cache,target=/var/cache/apk \
    --mount=type=bind,from=build,source=/nginx,target=/nginx \
    --mount=type=bind,from=build,source=/ngx_headers_more,target=/ngx_headers_more \
    --mount=type=bind,from=build,source=/ngx_brotli,target=/ngx_brotli \
    --mount=type=bind,from=build,source=/njs,target=/njs \
    --mount=type=bind,source=install.sh,target=/install.sh \
	 (cd nginx && sh /install.sh)
RUN --mount=type=cache,target=/var/cache/apk apk del .install_deps
COPY --from=build-rtmp --chown=root:root /nginx/objs/ngx_rtmp_module.so /usr/lib/nginx/modules/
COPY --from=build /home/luser/libressl/openssl.cnf /etc/ssl/openssl.cnf
COPY conf/nginx.conf /etc/nginx/nginx.conf
COPY conf/dhparam /etc/nginx/dhparam

LABEL description="NGINX Docker built top of LibreSSL" \
      maintainer="Walter Oggioni <oggioni.walter@gmail.com>" \
      openssl="LibreSSL" \
      nginx="nginx ${NGINX_VERSION}"

EXPOSE 80 443 443/udp

STOPSIGNAL SIGTERM

CMD ["nginx", "-g", "daemon off;"]
