# Dockerfile: Ansible & DevOps Utility Environment

# Base Image: Python slim for a minimal Python environment
FROM python:slim

# Environment variable to prevent interactive prompts during package installation
ENV DEBIAN_FRONTEND=noninteractive

# Install core system packages.
# Combined into a single RUN command to reduce Docker layers and improve build caching.
RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        software-properties-common \
        openssh-client \
        sshpass \
        locales \
        bash \
        git \
        curl \
        rsync \
        zsh \
        sudo \
    # nano and less are commented out for a leaner image, uncomment if interactive editing/viewing is frequently needed inside the container.
    # && apt-get install -y --no-install-recommends nano less \
    \
    # Clean up APT caches and temporary files to minimize image size
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
    && rm -Rf /usr/share/doc && rm -Rf /usr/share/man

# User Creation: Create a dedicated non-root user for security.
# Using ARGs for user details provides flexibility during build.
ARG USERNAME=ansible
ARG USER_UID=1000
ARG USER_GID=${USER_UID} # Set GID to match UID for simplicity
ENV HOME=/home/${USERNAME} # Set HOME environment variable for the new user

RUN groupadd --gid "${USER_GID}" "${USERNAME}" \
    && useradd -s /bin/bash --uid "${USER_UID}" --gid "${USER_GID}" -m "${USERNAME}" \
    # Grant passwordless sudo for the 'ansible' user. Re-evaluate if this is a security concern for your specific deployment.
    # For many CI/CD pipelines, this is acceptable.
    && echo "${USERNAME} ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/"${USERNAME}" \
    && chmod 0440 /etc/sudoers.d/"${USERNAME}"

# Python Package Installation: Install Ansible and related Python libraries.
# `--no-cache-dir` helps keep the image small.
RUN pip3 install --no-cache-dir \
    ansible \
    ara \
    hvac \
    dnspython \
    jmespath \
    "hvac[parser]" \
    certifi \
    ansible-lint \
    ansible-modules-hashivault

# Multi-Stage Builds: Copy pre-compiled binaries from official or specialized images.
# This avoids installing build dependencies and keeps the image lean.
COPY --from=hashicorp/vault /bin/vault /usr/local/bin/vault
COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
COPY --from=donaldrich/function:container /usr/local/bin/goss /usr/local/bin/goss
# Combine COPY instructions from the same source image when possible
COPY --from=donaldrich/function:task \
    /usr/local/bin/tusk /usr/local/bin/tusk \
    /usr/local/bin/task /usr/local/bin/task \
    /usr/local/bin/variant /usr/local/bin/variant
COPY --from=donaldrich/function:syntax-tools /usr/local/bin/jq /usr/local/bin/jq

# Zsh Configuration: Copy Zsh dotfiles for the 'ansible' user.
COPY --from=donaldrich/runner:zsh /zsh/ /zsh/
# Ensure correct ownership of user-specific configuration files
COPY --from=donaldrich/runner:zsh --chown=ansible:ansible /zsh/.zshrc /home/ansible/.zshrc
COPY --from=donaldrich/runner:zsh --chown=ansible:ansible /zsh/.nanorc /home/ansible/.nanorc

# Environment Variables: Configure Ansible and Goss behavior.
ENV ANSIBLE_GATHERING smart
ENV ANSIBLE_HOST_KEY_CHECKING false
ENV ANSIBLE_RETRY_FILES_ENABLED false
ENV ANSIBLE_FORCE_COLOR true
ENV GOSS_FMT documentation
ENV GOSS_COLOR true

# Optional ARA (Ansible Run Analysis) API Server configuration:
# Uncomment and configure these if you plan to use ARA for reporting results to a central server.
# ENV ANSIBLE_CALLBACK_PLUGINS="$(python3 -m ara.setup.callback_plugins)"
# ENV ARA_API_CLIENT="http"
# ENV ARA_API_SERVER="http://192.168.1.101:8734"

# Locale Configuration: Ensure proper locale settings for consistent behavior.
RUN echo "LC_ALL=en_US.UTF-8" >> /etc/environment \
    && echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen \
    && echo "LANG=en_US.UTF-8" > /etc/locale.conf \
    && locale-gen en_US.UTF-8

# Copy Local Files: Include essential configuration/testing files in the image.
# Consider if these should be volume-mounted at runtime for dynamic usage.
COPY ./tusk-docker.yml ./tusk.yml
COPY ./goss.yaml ./goss.yaml
COPY ./goss2.yaml ./goss2.yaml
# Copying the Dockerfile itself is often for introspection/auditing within the container.
COPY ./Dockerfile ./Dockerfile

# Set the default working directory inside the container.
WORKDIR ${HOME} # Start in the ansible user's home directory

# Switch to the non-root user. This is a critical security best practice.
# All subsequent commands (if any) and the default entrypoint/command will run as this user.
USER ${USERNAME}

# Final validation step: Run Goss tests during the build.
# This ensures the image's content and setup are as expected.
RUN goss validate

# Default command when the container starts.
# CMD ["zsh"] makes it easy to drop into a shell for interactive use.
# Alternatively, use CMD ["ansible-playbook"] to make it an "Ansible execution container" directly.
CMD ["zsh"]