ARG BASE_IMAGE=nginxproxymanager/nginx-full:latest

#############
# Certbot Builder
#############

FROM debian:trixie-slim AS certbotbuilder

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN apt-get update
RUN apt-get install -y \
	build-essential \
	ca-certificates \
	curl \
	libaugeas0 \
	libffi-dev \
	libssl-dev \
	openssl \
	pkg-config \
	python3 \
	python3-dev \
	python3-venv

ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

# Yes, python compilation requires rust.
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
ENV PATH="/root/.cargo/bin:$PATH"

# It's all about pip now.
RUN python3 -m venv /opt/certbot/
ENV PATH="/opt/certbot/bin:$PATH"

RUN curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3

RUN pip install --no-cache-dir --upgrade pyopenssl \
	&& pip install --no-cache-dir cffi certbot cryptography \
	&& pip install tldextract zope pip-system-certs

#############
# Final Image
#############
FROM $BASE_IMAGE AS final
ARG BASE_IMAGE
ARG TARGETPLATFORM

LABEL maintainer="Jamie Curnow <jc@jc21.com>"

RUN echo "Certbot: $BASE_IMAGE, ${TARGETPLATFORM:-linux/amd64}" >> /built-for-arch

# OpenResty uses LuaJIT which has a dependency on GCC
RUN apt-get update \
	&& apt-get install -y --no-install-recommends \
	python3 \
	python3-venv \
	&& apt-get clean \
	&& rm -rf /var/lib/apt/lists/*

COPY ./files/.bashrc.certbot /root/.bashrc

# Copy certbot
COPY --from=certbotbuilder /opt/certbot /opt/certbot

ENV PATH="/opt/certbot/bin:$PATH"

RUN python3 -m venv /opt/certbot/ \
	&& curl -L 'https://bootstrap.pypa.io/get-pip.py' | /opt/certbot/bin/python3 \
	&& sed -i 's/include-system-site-packages = false/include-system-site-packages = true/g' -i /opt/certbot/pyvenv.cfg \
	&& ln -s /opt/certbot/bin/certbot /usr/bin/certbot

LABEL org.label-schema.cmd="docker run --rm -ti nginxproxymanager/nginx-full:certbot"