# ubuntu 20.04 image from 2022-10-19
FROM ubuntu@sha256:450e066588f42ebe1551f3b1a535034b6aa46cd936fe7f2c6b0d72997ec61dbd

RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install tzdata && \
    apt-get install -y paxctl apache2-dev coreutils \
                       python3-pip python3-all python3-venv virtualenv libpython3.8-dev libssl-dev \
                       gnupg2 redis-server git jq \
                       enchant libffi-dev sqlite3 gettext sudo \
                       libasound2 libdbus-glib-1-2 libgtk2.0-0 libfontconfig1 libxrender1 \
                       libcairo-gobject2 libgtk-3-0 libstartup-notification0 basez pkg-config

# Install Rust using the same steps as <https://github.com/rust-lang/docker-rust>
# 1) Download rustup-init and verify it matches hardcoded checksum
# 2) Run it to install rustup and the rustc/cargo "minimal" toolchain
# 3) Add `/opt/cargo/bin` to $PATH, which is where cargo & rustc are installed
ENV RUST_VERSION 1.84.1
ENV RUSTUP_VERSION 1.27.1
ENV RUSTUP_INIT_SHA256 6aeece6993e902708983b209d04c0d1dbb14ebb405ddb87def578d41f920f56d
ENV RUSTUP_HOME /opt/rustup
ENV CARGO_HOME /opt/cargo

RUN TMPDIR=`mktemp -d` && cd ${TMPDIR} \
        && curl --proto '=https' --tlsv1.2 -OO -sSf https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/x86_64-unknown-linux-gnu/rustup-init \
        && echo "${RUSTUP_INIT_SHA256} *rustup-init" | sha256sum -c - \
        && chmod +x rustup-init \
        && ./rustup-init --default-toolchain=${RUST_VERSION} --profile minimal -y \
        && cd && rm -rf ${TMPDIR}

COPY . /opt/securedrop
RUN python3 -m venv /opt/venvs/securedrop-app-code && \
    /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r /opt/securedrop/securedrop/requirements/python3/bootstrap-requirements.txt && \
    /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r /opt/securedrop/securedrop/requirements/python3/requirements.txt
RUN PATH="$PATH:/opt/cargo/bin/" \
    python3 "/opt/securedrop/redwood/build-wheel.py" \
        --release \
        --redwood "/opt/securedrop/redwood" \
        --target "/opt/securedrop/redwood/target/" \
    && /opt/venvs/securedrop-app-code/bin/pip install /opt/securedrop/redwood/redwood-*.whl

RUN sed -i 's/"localhost"\];/"localhost", "demo-source.securedrop.org"];/' /opt/securedrop/securedrop/static/js/source.js

RUN useradd --no-create-home --home-dir /tmp --uid 1000 demo && echo "demo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
    chown -R demo:demo /opt/securedrop /opt/venvs/

STOPSIGNAL SIGKILL

EXPOSE 8080 8081

ENV REPOROOT=/opt/securedrop
ENV SKIP_REDWOOD_BUILD=1

USER demo
WORKDIR /opt/securedrop/securedrop
ENTRYPOINT [ "/opt/securedrop/securedrop/bin/run" ]
