ARG DEBIAN_IMAGE=debian:bookworm-slim

FROM debian:bookworm-slim AS nsjail

WORKDIR /nsjail

RUN apt-get -y update \
    && apt-get install -y \
    bison=2:3.8.* \
    flex=2.6.* \
    g++=4:12.2.* \
    gcc=4:12.2.* \
    git=1:2.39.* \
    libprotobuf-dev=3.21.* \
    libnl-route-3-dev=3.7.* \
    make=4.3-4.1 \
    pkg-config=1.8.* \
    protobuf-compiler=3.21.*

RUN git clone -b master --single-branch https://github.com/google/nsjail.git . && git checkout dccf911fd2659e7b08ce9507c25b2b38ec2c5800
RUN make

FROM ${DEBIAN_IMAGE}

ARG APP=/usr/src/app
ARG LATEST_STABLE_PY=3.11.10

# UV configuration
ENV UV_CACHE_DIR=/tmp/windmill/cache/uv
ENV UV_PYTHON_INSTALL_DIR=/tmp/windmill/cache/py_runtime
ENV UV_PYTHON_PREFERENCE=only-managed
RUN mkdir -p /usr/local/uv
ENV UV_TOOL_BIN_DIR=/usr/local/bin
ENV UV_TOOL_DIR=/usr/local/uv
ENV PATH=/usr/local/bin:/root/.local/bin:/tmp/.local/bin:$PATH

# Install system dependencies
RUN apt-get update \
    && apt-get install -y ca-certificates wget curl git jq unzip unixodbc xmlsec1 \
    && rm -rf /var/lib/apt/lists/*

ENV TZ=Etc/UTC

# Install UV
RUN curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.24/uv-installer.sh | sh && mv /root/.local/bin/uv /usr/local/bin/uv

# Preinstall python runtime to temp location (will copy with world-writable perms later)
RUN UV_PYTHON_INSTALL_DIR=/tmp/build_cache/py_runtime uv python install $LATEST_STABLE_PY

# Copy to final location with world-writable permissions for arbitrary UID support
RUN mkdir -p /tmp/windmill/cache && \
    cp -r /tmp/build_cache/* /tmp/windmill/cache/ && \
    chmod -R a+rw /tmp/windmill/cache && \
    rm -rf /tmp/build_cache && \
    mkdir -p -m 777 /tmp/windmill/cache/uv

COPY --from=oven/bun:1.3.10 /usr/local/bin/bun /usr/bin/bun

# Install windmill CLI (node symlink needed for bun install)
RUN ln -s /usr/bin/bun /usr/bin/node \
    && bun install -g windmill-cli \
    && ln -s $(bun pm bin -g)/wmill /usr/bin/wmill

# Install Claude Code CLI (used by claude sandbox scripts)
# Copy to /usr/bin/claude so it's accessible inside nsjail sandbox (which mounts /usr but not /root)
RUN curl -fsSL https://claude.ai/install.sh | bash \
    && cp /root/.local/share/claude/versions/* /usr/bin/claude

# add the docker client to call docker from a worker if enabled
COPY --from=docker:29-dind /usr/local/bin/docker /usr/local/bin/

# nsjail runtime deps and binary
RUN apt-get update && apt-get install -y libprotobuf-dev libnl-route-3-dev \
    && apt-get clean && rm -rf /var/lib/apt/lists/*
COPY --from=nsjail /nsjail/nsjail /bin/nsjail

WORKDIR ${APP}

COPY --from=ghcr.io/windmill-labs/windmill-ee:dev --chmod=755  ${APP}/windmill ${APP}/windmill

RUN ln -s ${APP}/windmill /usr/local/bin/windmill

COPY ./frontend/src/lib/hubPaths.json ${APP}/hubPaths.json

RUN windmill cache ${APP}/hubPaths.json

RUN rm ${APP}/hubPaths.json

RUN windmill cache-rt

# Create directories and make world-accessible for arbitrary UID support
RUN mkdir -p -m 777 /tmp/windmill/logs /tmp/windmill/search /tmp/.cache && \
    chmod 777 /tmp/.cache && \
    find ${APP} /tmp/windmill -type d -exec chmod 777 {} +


EXPOSE 8000

CMD ["windmill"]
