# --- build ---
FROM oven/bun:1.3 AS build
WORKDIR /app
# Install deps first (vendored @kuns/zitadel-auth must be present for the file: dependency).
COPY package.json bun.lock* ./
COPY vendor ./vendor
RUN bun install --frozen-lockfile
COPY . .
# Public (non-secret) OIDC config is baked into the client bundle at build time.
# Override with --build-arg if the Zitadel app/project ids change.
ARG NUXT_PUBLIC_ZITADEL_ISSUER=https://auth.kuns.dev
ARG NUXT_PUBLIC_ZITADEL_CLIENT_ID=376787352019861775
ARG NUXT_PUBLIC_ZITADEL_PROJECT_ID=376787351902355727
ENV NUXT_PUBLIC_ZITADEL_ISSUER=$NUXT_PUBLIC_ZITADEL_ISSUER \
    NUXT_PUBLIC_ZITADEL_CLIENT_ID=$NUXT_PUBLIC_ZITADEL_CLIENT_ID \
    NUXT_PUBLIC_ZITADEL_PROJECT_ID=$NUXT_PUBLIC_ZITADEL_PROJECT_ID
RUN bun run build

# --- run ---
# Nitro's node-server output is traced for Node's export conditions, so run it on Node
# (not Bun, whose `bun` export condition resolves to files Nitro didn't copy).
FROM node:22-slim AS run
WORKDIR /app
ENV NODE_ENV=production
ENV PORT=3000
# The Nitro output bundles everything it needs (incl. postgres + jose + the migrate plugin).
COPY --from=build /app/.output ./.output
EXPOSE 3000
CMD ["node", "./.output/server/index.mjs"]