FROM macbre/nginx-http3

# Install Certbot for Let's Encrypt
USER root

# Install dependencies
RUN apk add --no-cache \
    certbot \
    certbot-nginx \
    su-exec \
    netcat-openbsd \
    openssl \
    bash

# Remove default site
RUN rm -f /etc/nginx/conf.d/default.conf || true

# Create necessary directories
RUN mkdir -p \
    /var/cache/nginx \
    /var/log/nginx \
    /var/www/ssl \
    /var/www/certbot \
    /var/www/html/public/.well-known/acme-challenge \
    /etc/letsencrypt \
    /var/lib/letsencrypt

# Set permissions
RUN chmod 755 /var/cache/nginx /var/log/nginx /var/www/ssl /var/www/certbot && \
    chmod a+rw /dev/stdout /dev/stderr

# Copy configurations
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./default.production.conf /etc/nginx/conf.d/default.conf
COPY ./ssl/ /var/www/ssl/

# Copy entry scripts
COPY ./docker-entrypoint-production.sh /usr/local/bin/docker-entrypoint.sh
COPY ./certbot-renew.sh /usr/local/bin/certbot-renew.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh /usr/local/bin/certbot-renew.sh

# Set ownership
RUN chown -R nginx:nginx \
    /var/cache/nginx \
    /var/log/nginx \
    /var/www/ssl \
    /var/www/certbot \
    /etc/letsencrypt \
    /var/lib/letsencrypt

EXPOSE 80 443

ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
CMD ["nginx", "-g", "daemon off;"]