# Atelier - dev-base image
# Minimal development environment with Bun and Git
# code-server and opencode are served via NFS from /opt/shared/bin
#
# Build: docker build -t atelier/dev-base .
# Export: docker export $(docker create atelier/dev-base) | tar -C ./rootfs -xf -

FROM node:22-slim


ARG KASMVNC_VERSION=1.4.0
ENV DEBIAN_FRONTEND=noninteractive
ENV HOME=/home/dev
ENV USER=dev
ENV SHELL=/bin/bash
ENV BUN_INSTALL=/home/dev/.bun
ENV PATH=$BUN_INSTALL/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# C.UTF-8 is built into glibc and never needs locale-gen, so it works
# regardless of which locale data is generated. Avoids the noisy
# 'setlocale: LC_ALL: cannot change locale' warnings that plagued every
# bash -l in the sandbox.
ENV LANG=C.UTF-8
ENV LC_ALL=C.UTF-8

# Layer 1: System packages (cached unless package list changes)
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    chrony \
    curl \
    git \
    openssh-server \
    sudo \
    vim \
    jq \
    unzip \
    xz-utils \
    procps \
    iproute2 \
    iputils-ping \
    nfs-common \
    chromium \
    fonts-liberation \
    openbox \
    libegl1 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
    && rm -rf /usr/share/doc /usr/share/man /usr/share/info /usr/share/lintian \
    && find /usr/share/locale -mindepth 1 -maxdepth 1 ! -name 'en*' -exec rm -rf {} + \
    && rm -rf /var/cache/apt

# Layer 2: KasmVNC (cached unless KASMVNC_VERSION changes)
RUN curl -fsSL -o /tmp/kasmvnc.deb "https://github.com/kasmtech/KasmVNC/releases/download/v${KASMVNC_VERSION}/kasmvncserver_bookworm_${KASMVNC_VERSION}_amd64.deb" \
    && apt-get update && apt-get install -y --no-install-recommends /tmp/kasmvnc.deb \
    && rm -f /tmp/kasmvnc.deb \
    && apt-get clean && rm -rf /var/lib/apt/lists/*

# Layer 3: Locale + user setup + SSH config (rarely changes)
RUN usermod -l dev -d /home/dev -m node \
    && groupmod -n dev node \
    && mkdir -p /var/run/sshd \
    && sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config \
    && sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config \
    && sed -i 's/^#\?ChallengeResponseAuthentication .*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config

# Layer 4: Bun runtime (cached unless install script changes)
RUN curl -fsSL https://bun.sh/install | BUN_INSTALL=/home/dev/.bun bash \
    && chown -R dev:dev /home/dev/.bun \
    && echo 'export BUN_INSTALL="/home/dev/.bun"' > /etc/profile.d/bun.sh \
    && echo 'export PATH="$BUN_INSTALL/bin:$PATH"' >> /etc/profile.d/bun.sh

# Layer 5: Directory structure + permissions
RUN mkdir -p /etc/sandbox/secrets /var/log/sandbox \
    /home/dev/workspace \
    /home/dev/.local/share/code-server/User \
    /home/dev/.local/share/opencode \
    /home/dev/.config/opencode \
    /home/dev/.cache/oh-my-opencode \
    /.atelier \
    && chown -R dev:dev /home/dev /var/log/sandbox /etc/sandbox /.atelier \
    && chmod 775 /etc/sandbox /etc/sandbox/secrets /var/log/sandbox /.atelier

# Layer 6: Profile scripts + config files (most likely to change)
RUN echo 'export PATH="/opt/shared/bin:$PATH"' > /etc/profile.d/shared-binaries.sh \
    && printf 'export LANG=C.UTF-8\nexport LC_ALL=C.UTF-8\n' > /etc/profile.d/locale.sh \
    && printf '[ "$(id -u)" = "1000" ] && [ -r /etc/sandbox/secrets/.env ] && . /etc/sandbox/secrets/.env\n' > /etc/profile.d/99-sandbox-secrets.sh
COPY --chown=dev:dev rootfs/home/dev/.local/share/code-server/User/settings.json /home/dev/.local/share/code-server/User/settings.json
COPY --chown=dev:dev rootfs/etc/sandbox/ /etc/sandbox/
COPY rootfs/etc/xdg/openbox/ /etc/xdg/openbox/
COPY rootfs/etc/chrony/chrony.conf /etc/chrony/chrony.conf
RUN mkdir -p /var/lib/chrony && chown _chrony:_chrony /var/lib/chrony \
    && echo 'dev ALL=(root) NOPASSWD: /usr/sbin/chronyd, /usr/bin/chronyc' > /etc/sudoers.d/chrony \
    && chmod 440 /etc/sudoers.d/chrony
RUN chmod +x /etc/sandbox/*.sh 2>/dev/null || true
COPY --from=atelier/sandbox-agent:latest /sandbox-agent /usr/local/bin/sandbox-agent
RUN chmod +x /usr/local/bin/sandbox-agent

# Kata CLH cannot mount a block volume over a populated directory, so
# /home/dev must be empty in the final image.  Move its contents to
# /home/skel — sandbox-boot.sh copies them back on first PVC boot.
RUN mv /home/dev /home/skel \
    && mkdir /home/dev \
    && chown dev:dev /home/dev

USER dev
CMD ["/bin/bash"]
