# Multi-stage Alpine-based PHP 7.4 FPM image optimized for WordPress
ARG BASE_TAG=7.4-fpm-alpine3.16
FROM php:${BASE_TAG} AS build

RUN set -eux; \
	apk add --no-cache --virtual .build-deps \
	$PHPIZE_DEPS \
	autoconf \
	gcc \
	g++ \
	make \
	pkgconfig \
	bash \
	freetype-dev \
	libjpeg-turbo-dev \
	libpng-dev \
	libxml2-dev \
	zlib-dev \
	icu-dev \
	libzip-dev \
	oniguruma-dev \
	mariadb-dev \
	; \
	docker-php-ext-configure gd --with-freetype --with-jpeg; \
	docker-php-ext-install -j"$(nproc)" \
	gd \
	mysqli \
	pdo \
	pdo_mysql \
	zip \
	exif \
	intl \
	bcmath \
	opcache \
	xml \
	mbstring \
	xmlrpc \
	soap \
	pcntl \
	; \
	pecl channel-update pecl.php.net; \
	pecl install redis && docker-php-ext-enable redis; \
	cp "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"; \
	apk del .build-deps; \
	rm -rf /var/cache/apk/* /tmp/*

FROM php:${BASE_TAG} AS runtime

RUN set -eux; \
	apk add --no-cache \
	freetype \
	libjpeg-turbo \
	libpng \
	libxml2 \
	zlib \
	icu-libs \
	libzip \
	mariadb-client \
	openssl \
	ca-certificates \
	tzdata \
	; \
	update-ca-certificates || true

# Copy built PHP and extensions from the build stage
COPY --from=build /usr/local/lib/php /usr/local/lib/php
COPY --from=build /usr/local/etc/php /usr/local/etc/php

# Create a non-root application user and prepare webroot directory
RUN addgroup -g 1000 app || true; \
	adduser -D -u 1000 -G app app || true; \
	mkdir -p /var/www/html; \
	chown -R app:app /var/www/html; \
	mkdir -p /var/run/php /run/php /var/log/php; \
	chown -R app:app /var/run/php /run/php /var/log/php

# Minimal security / production tuning for opcache and PHP
RUN set -eux; \
	{ \
	echo 'opcache.enable=1'; \
	echo 'opcache.memory_consumption=128'; \
	echo 'opcache.interned_strings_buffer=8'; \
	echo 'opcache.max_accelerated_files=10000'; \
	echo 'opcache.revalidate_freq=2'; \
	echo 'opcache.fast_shutdown=1'; \
	echo 'opcache.enable_file_override=0'; \
	} > /usr/local/etc/php/conf.d/zz-opcache.ini; \
	{ \
	echo 'expose_php = Off'; \
	echo 'display_errors = Off'; \
	echo 'log_errors = On'; \
	echo 'error_log = /proc/self/fd/2'; \
	} > /usr/local/etc/php/conf.d/zz-hardening.ini

EXPOSE 9000

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 CMD pgrep -f "php-fpm" || exit 1

WORKDIR /var/www/html

# Copy pool configuration and entrypoint from shared path in repo root
COPY --chown=root:root shared/php-fpm/www.conf /usr/local/etc/php-fpm.d/www.conf
COPY --chown=root:root shared/php-fpm/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod 755 /usr/local/bin/entrypoint.sh

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

USER root

CMD ["php-fpm"]