FROM node:22.15.0-alpine AS builder
RUN corepack enable

# Install native dependencies since we might be building cross-platform.
WORKDIR /usr/src/app
COPY ./docker/package.json ./docker/pnpm-workspace.yaml /usr/src/app/
# We have to use --no-frozen-lockfile due to CKEditor patches
RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild

FROM node:22.15.0-alpine
# Create a non-root user with configurable UID/GID
ARG USER=trilium
ARG UID=1001
ARG GID=1001
ENV USER=${USER}
ENV UID=${UID}
ENV GID=${GID}

# Install runtime dependencies and create user with specific UID/GID
RUN apk add --no-cache dumb-init && \
    # Alpine uses addgroup/adduser (from busybox) instead of groupadd/useradd
    addgroup -g ${GID} ${USER} && \
    adduser -u ${UID} -G ${USER} -s /bin/sh -D -h /home/${USER} ${USER}

WORKDIR /home/${USER}/app
COPY ./dist /home/${USER}/app
# Also copy the rootless entrypoint script
COPY rootless-entrypoint.sh /home/${USER}/app/
RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3
COPY --from=builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3
RUN chown -R ${USER}:${USER} /home/${USER}

# Configure container
USER ${USER}
EXPOSE 8080

# By default, use UID/GID that was set during build
# These can be overridden at runtime
ENV TRILIUM_UID=${UID}
ENV TRILIUM_GID=${GID}
ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data

# Use dumb-init as entrypoint to handle signals properly
ENTRYPOINT ["/usr/bin/dumb-init", "--"]

# Use the entrypoint script
CMD [ "bash", "./rootless-entrypoint.sh" ]

HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js