FROM pixelfed-base AS pixelfed-web

# Install Nginx and supervisor for the web container
RUN apk add --no-cache nginx supervisor

# Configure PHP-FPM for web workload
RUN sed -i 's/user = www-data/user = pixelfed/' /usr/local/etc/php-fpm.d/www.conf \
    && sed -i 's/group = www-data/group = pixelfed/' /usr/local/etc/php-fpm.d/www.conf \
    && sed -i 's/listen = 127.0.0.1:9000/listen = 9000/' /usr/local/etc/php-fpm.d/www.conf \
    && sed -i 's/;listen.allowed_clients = 127.0.0.1/listen.allowed_clients = 127.0.0.1/' /usr/local/etc/php-fpm.d/www.conf

# Web-specific PHP configuration for better performance
RUN echo "pm = dynamic" >> /usr/local/etc/php-fpm.d/www.conf \
    && echo "pm.max_children = 50" >> /usr/local/etc/php-fpm.d/www.conf \
    && echo "pm.start_servers = 5" >> /usr/local/etc/php-fpm.d/www.conf \
    && echo "pm.min_spare_servers = 5" >> /usr/local/etc/php-fpm.d/www.conf \
    && echo "pm.max_spare_servers = 35" >> /usr/local/etc/php-fpm.d/www.conf \
    && echo "pm.max_requests = 500" >> /usr/local/etc/php-fpm.d/www.conf

# Copy web-specific configuration files
COPY nginx.conf /etc/nginx/nginx.conf
COPY supervisord-web.conf /etc/supervisor/conf.d/supervisord.conf
COPY entrypoint-web.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Create nginx directories and set permissions
RUN mkdir -p /var/log/nginx \
    && mkdir -p /var/log/supervisor \
    && chown -R nginx:nginx /var/log/nginx

# Create SSL directories for cert-manager mounted certificates
RUN mkdir -p /etc/ssl/certs /etc/ssl/private \
    && chown -R nginx:nginx /etc/ssl

# Health check optimized for web container (check both HTTP and HTTPS)
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
    CMD curl -f http://localhost:80/api/v1/instance || curl -k -f https://localhost:443/api/v1/instance || exit 1

# Expose HTTP and HTTPS ports
EXPOSE 80 443

# Run as root to manage nginx and php-fpm
USER root

ENTRYPOINT ["/entrypoint.sh"]
CMD ["supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]