ARG DEBIAN_HASH=b91baba9c2cae5edbe3b0ff50ae8f05157e3ae6f018372dcfc3aba224acb392b
ARG BUILD_ENV=pin

FROM debian@sha256:${DEBIAN_HASH} AS build_base

FROM build_base AS build_pin
ARG DEBIAN_RELEASE=bookworm
ARG REQUIRED_PACKAGES="git ruby ruby-dev ruby-bundler media-types"
ONBUILD RUN \
    export date=$(date +"%Y%m%dT000000Z") \
    && export url=http://snapshot.debian.org/archive/debian \
    && export rel=${DEBIAN_RELEASE} \
    && echo "deb [trusted=yes] ${url}/${date} ${rel} main" \
        > apt-sources.list \
    && echo "deb [trusted=yes] ${url}-security/${date} ${rel}-security main" \
        > apt-sources.list \
    && echo "deb [trusted=yes] ${url}/${date} ${rel}-updates main" \
        > apt-sources.list
ONBUILD RUN \
    apt-get update \
    && apt-get install \
	    -y \
	    --download-only \
	    dpkg-dev bzip2 ${REQUIRED_PACKAGES} \
    && ( cd /var/cache/apt/archives \
	    && find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
	    | sed 's/.\///g' \
	    | LC_ALL=C sort \
    ) > apt-hashes.list \
    && echo "Pinned APT packages:" \
    && cat apt-hashes.list
ONBUILD RUN \
    for deb in /var/cache/apt/archives/*.deb; do \
	    package=$(dpkg-deb -f $deb Package); \
	    version=$(dpkg --info ${deb} | grep "^ Version: " | sed 's/^ Version: //g'); \
	    echo "${package}=${version}" >> apt-pins.list; \
    done \
    && mkdir apt-packages \
    && mv /var/cache/apt/archives/*.deb apt-packages \
    && apt-get install -y bzip2 dpkg-dev \
    && dpkg-scanpackages apt-packages | bzip2 > apt-packages/Packages.bz2

FROM build_base AS build_fetch
ONBUILD COPY apt-hashes.list .
ONBUILD COPY apt-sources.list .
ONBUILD COPY apt-pins.list .
ONBUILD RUN \
    rm -f /etc/apt/sources.list.d/* \
    && mv apt-sources.list /etc/apt/sources.list \
    && apt update -o Acquire::Check-Valid-Until=false \
    && apt-get install \
        --download-only \
        --allow-downgrades \
        -o Acquire::Check-Valid-Until=false \
        -y $(cat apt-pins.list) \
    && cd /var/cache/apt/archives \
    		&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
    		| sed 's/.\///g' \
    		| LC_ALL=C sort \
    ) > apt-hashes-compare.list \
    && diff apt-hashes.list apt-hashes-compare.list \
    && mkdir apt-packages \
    && mv /var/cache/apt/archives/*.deb apt-packages \
    && dpkg-scanpackages apt-packages | bzip2 > apt-packages/Packages.bz2

FROM build_base AS build_reproduce
ONBUILD COPY apt-hashes.list .
ONBUILD COPY apt-sources.list .
ONBUILD COPY apt-pins.list .
ONBUILD COPY apt-packages .

FROM build_${BUILD_ENV} as build
RUN \
    rm -f /etc/apt/sources.list.d/* \
    && echo "deb [trusted=yes] file:///. apt-packages/" > /etc/apt/sources.list \
    && apt update -o Acquire::Check-Valid-Until=false \
    && apt-get install \
        --allow-downgrades \
        -y $(cat apt-pins.list)

FROM build as build-httpd
ARG BUSYBOX_REPO=https://git.busybox.net/busybox
ARG BUSYBOX_HASH=1a64f6a20aaf6ea4dbba68bbfa8cc1ab7e5c57c4 # 1.36.1
RUN \
    git clone https://git.busybox.net/busybox \
    && git -C busybox checkout ${BUSYBOX_HASH} \
    && git -C busybox rev-parse --verify HEAD | grep -q ${BUSYBOX_HASH} || { \
        echo 'Error: Git ref/branch collision.'; exit 1; \
    }
COPY config/busybox.config busybox/.config
RUN \
    echo "building busybox httpd" \
    && cd busybox \
    && make \
    && bash make_single_applets.sh \
    && mv busybox_HTTPD ../httpd

FROM build as build-site
RUN mkdir build
WORKDIR build
COPY . .
RUN bundle install
RUN jekyll build

FROM build as build-rootfs
RUN mkdir -p rootfs/etc \
    && echo "nogroup:*:100:nobody" > rootfs/etc/group \
    && echo "nobody:*:100:100:::" > rootfs/etc/passwd

FROM scratch
COPY --from=build-rootfs --chown=100:100 rootfs /
COPY --from=build-site build/_site static
COPY --from=build-httpd httpd .
USER 100:100
EXPOSE 8080
WORKDIR static
ENTRYPOINT ["/httpd"]
CMD ["-f","-v"]