# Build stage
# Node 22 LTS (Node 20 EOL April 2026; Vite 8 erfordert Node ^20.19 || >=22.12)
FROM node:22-alpine AS build
WORKDIR /app
COPY package.json package-lock.json* ./
# FE-L4: npm ci statt npm install — reproduzierbarer Build streng nach Lockfile
# (npm install kann das Lockfile mutieren und andere Versionen aufloesen).
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM nginx:alpine
COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/conf.d/default.conf

# nginx als non-root laufen lassen (Defense-in-Depth, N-006).
# - Listen-Port von 80 auf 8080 (privilegierte Ports < 1024 brauchen root)
# - Pfade auf nginx-User umschreiben
RUN sed -i 's/listen\s*80;/listen 8080;/' /etc/nginx/conf.d/default.conf \
 && chown -R nginx:nginx /var/cache/nginx /var/log/nginx /etc/nginx/conf.d /usr/share/nginx/html \
 && touch /var/run/nginx.pid \
 && chown nginx:nginx /var/run/nginx.pid

USER nginx
EXPOSE 8080
CMD ["nginx", "-g", "daemon off;"]
