FROM rust:1.70.0-bullseye AS rust_build

WORKDIR /

RUN apt-get update && \
    apt-get install -y -q \
    build-essential \
    curl \
    git \
    make

RUN git clone https://github.com/daulet/tokenizers.git /tokenizer && \
    cd /tokenizer && \
    cargo build --release && \
    cp target/release/libtokenizers.a /tokenizer/libtokenizers.a

FROM docker.io/golang:1.24-bookworm AS build

ARG BUILD_VERSION
ARG ONNXRUNTIME_VERSION=1.18.1

WORKDIR /go/src/crowdsec

ENV DEBIAN_FRONTEND=noninteractive
ENV DEBCONF_NOWARNINGS="yes"

# We like to choose the release of re2 to use, the debian version is usually older.
ENV RE2_VERSION=2023-03-01
ENV BUILD_VERSION=${BUILD_VERSION}

# wizard.sh requires GNU coreutils
RUN apt-get update && \
    apt-get install -y -q git gcc libc-dev make bash gettext binutils-gold coreutils tzdata && \
    wget https://github.com/google/re2/archive/refs/tags/${RE2_VERSION}.tar.gz && \
    tar -xzf ${RE2_VERSION}.tar.gz && \
    cd re2-${RE2_VERSION} && \
    make && \
    make install && \
    echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \
    go install github.com/mikefarah/yq/v4@v4.44.3

COPY . .

COPY --from=rust_build /tokenizer/libtokenizers.a /usr/local/lib/

# INSTALL ONNXRUNTIME
RUN cd /tmp && \
    wget -O onnxruntime.tgz https://github.com/microsoft/onnxruntime/releases/download/v${ONNXRUNTIME_VERSION}/onnxruntime-linux-aarch64-${ONNXRUNTIME_VERSION}.tgz && \
    tar -C /tmp -xvf onnxruntime.tgz && \
    mv onnxruntime-linux-aarch64-${ONNXRUNTIME_VERSION} onnxruntime && \
    rm -rf onnxruntime.tgz && \
    cp -R onnxruntime/lib/libonnxruntime.so.${ONNXRUNTIME_VERSION} /usr/local/lib && \
    cp onnxruntime/include/*.h /usr/local/include && \
    rm -rf onnxruntime

RUN ln -s /usr/local/lib/libonnxruntime.so.${ONNXRUNTIME_VERSION} /usr/local/lib/libonnxruntime.so

RUN ls -la /usr/local/include
RUN ls -la /usr/local/lib

RUN ldconfig

# Test if linking works with a simple program
RUN echo "#include <onnxruntime_c_api.h>" > test.c && \
    echo "int main() { return 0; }" >> test.c && \
    gcc test.c -L/usr/local/lib -lonnxruntime -o test_executable && ./test_executable
    
RUN make clean release DOCKER_BUILD=1 BUILD_STATIC=0 \
    CGO_CFLAGS="-D_LARGEFILE64_SOURCE -I/usr/local/include"  \
    CGO_CPPFLAGS="-I/usr/local/include" \
    CGO_LDFLAGS="-L/usr/local/lib -lstdc++ -lonnxruntime /usr/local/lib/libtokenizers.a -ldl -lm" \
    LIBRARY_PATH="/usr/local/lib" \
    LD_LIBRARY_PATH="/usr/local/lib" && \
    cd crowdsec-v* && \
    ./wizard.sh --docker-mode && \
    cd - >/dev/null && \
    cscli hub update --with-content && \
    cscli collections install crowdsecurity/linux && \
    cscli parsers install crowdsecurity/whitelists

    # In case we need to remove agents here..
    # cscli machines list -o json | yq '.[].machineId' | xargs -r cscli machines delete

FROM docker.io/debian:bookworm-slim AS slim

ARG ONNXRUNTIME_VERSION=1.18.1

ENV DEBIAN_FRONTEND=noninteractive
ENV DEBCONF_NOWARNINGS="yes"

RUN apt-get update && \
    apt-get install -y -q --install-recommends --no-install-suggests \
    procps \
    systemd \
    iproute2 \
    ca-certificates \
    bash \
    tzdata \
    rsync && \
    mkdir -p /staging/etc/crowdsec && \
    mkdir -p /staging/etc/crowdsec/acquis.d && \
    mkdir -p /staging/var/lib/crowdsec && \
    mkdir -p /var/lib/crowdsec/data

COPY --from=build /go/bin/yq /usr/local/bin/crowdsec /usr/local/bin/cscli /usr/local/bin/
COPY --from=build /etc/crowdsec /staging/etc/crowdsec
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml

# Note Copying this since can't build statically yet
COPY --from=build /usr/local/lib/libonnxruntime.so.${ONNXRUNTIME_VERSION} /usr/lib/libonnxruntime.so.${ONNXRUNTIME_VERSION}
COPY --from=build /usr/local/lib/libtokenizers.a /usr/lib/libtokenizers.a
RUN ln -s /usr/local/lib/libonnxruntime.so.${ONNXRUNTIME_VERSION} /usr/lib/libonnxruntime.so
COPY --from=build /usr/local/lib/libre2.* /usr/lib/

RUN ls -la /usr/lib

RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml && \
    yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml

ENTRYPOINT ["/bin/bash", "docker_start.sh"]

FROM slim AS plugins

# Due to the wizard using cp -n, we have to copy the config files directly from the source as -n does not exist in busybox cp
# The files are here for reference, as users will need to mount a new version to be actually able to use notifications
COPY --from=build \
    /go/src/crowdsec/cmd/notification-email/email.yaml \
    /go/src/crowdsec/cmd/notification-http/http.yaml \
    /go/src/crowdsec/cmd/notification-slack/slack.yaml \
    /go/src/crowdsec/cmd/notification-splunk/splunk.yaml \
    /go/src/crowdsec/cmd/notification-sentinel/sentinel.yaml \
    /staging/etc/crowdsec/notifications/

COPY --from=build /usr/local/lib/crowdsec/plugins /usr/local/lib/crowdsec/plugins

FROM slim AS geoip

COPY --from=build /var/lib/crowdsec /staging/var/lib/crowdsec

FROM plugins AS full

COPY --from=build /var/lib/crowdsec /staging/var/lib/crowdsec