FROM debian:trixie AS builder

ARG NGINX_VERSION="1.29.4"
ARG BORINGSSL_VERSION="0.20251124.0"

ARG CFLAGS="-I/usr/src/boringssl/include -flto -fmerge-all-constants -fno-unwind-tables -fvisibility=hidden -fuse-linker-plugin -Wimplicit -Os -s -ffunction-sections -fdata-sections -fno-ident -fno-asynchronous-unwind-tables -static -Wno-cast-function-type -Wno-implicit-function-declaration"
ARG LDFLAGS="-L/usr/src/boringssl/build -lstdc++ -L/usr/src/boringssl/build/crypto -flto -fuse-linker-plugin -static -s -Wl,--gc-sections"

WORKDIR /src

RUN apt-get update && \
    apt-get install -y cmake ninja-build build-essential pkg-config git curl golang jq zlib1g-dev libpcre2-dev

# Install BoringSSL
RUN git clone https://boringssl.googlesource.com/boringssl /usr/src/boringssl \
    && cd /usr/src/boringssl && git checkout --force --quiet "${BORINGSSL_VERSION}" \
    && mkdir -p /usr/src/boringssl/build \
    && cmake -GNinja -B/usr/src/boringssl/build -S/usr/src/boringssl -DCMAKE_BUILD_TYPE=RelWithDebInfo \
    && ninja -C /usr/src/boringssl/build

RUN git clone --depth 1 --branch "release-${NGINX_VERSION}" https://github.com/nginx/nginx.git

WORKDIR /src/nginx

RUN ./auto/configure \
    --with-cc-opt="$CFLAGS" \
    --with-ld-opt="$LDFLAGS" \
    --prefix=/usr/local/nginx \
    --sbin-path=/usr/bin/nginx \
    --conf-path=/etc/nginx/nginx.conf \
    --error-log-path=stderr \
    --pid-path=/tmp/nginx.pid \
    --lock-path=/tmp/nginx.lock \
    --user=nobody \
    --group=nogroup \
    --with-pcre \
    --with-threads \
    --with-stream \
    --with-stream_ssl_module \
    --with-stream_ssl_preread_module \
    --with-file-aio \
    --with-http_v2_module \
    --with-http_v3_module \
    --with-http_ssl_module \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --without-http_ssi_module \
    --without-http_access_module \
    --without-http_auth_basic_module \
    --without-http_browser_module \
    --without-http_map_module \
    --without-http_mirror_module \
    --without-http_autoindex_module \
    --without-http_geo_module \
    --without-http_split_clients_module \
    --without-http_userid_module \
    --without-http_empty_gif_module \
    --without-http_referer_module \
    --without-http_fastcgi_module \
    --without-http_uwsgi_module \
    --without-http_scgi_module \
    --without-http_grpc_module \
    --without-http_memcached_module \
    --without-http_limit_conn_module \
    --without-http_limit_req_module \
    --without-http_upstream_hash_module \
    --without-http_upstream_ip_hash_module \
    --without-http_upstream_least_conn_module \
    --without-http_upstream_random_module \
    --without-http_upstream_keepalive_module \
    --without-http_upstream_zone_module

RUN make && \
    make install

FROM scratch

COPY config/group /etc/group
COPY config/passwd /etc/passwd
COPY --chmod=755 config/nginx /etc/nginx

COPY --from=builder /usr/bin/nginx /usr/bin/nginx

USER nobody

EXPOSE 8080
VOLUME [ "/tmp" ]

ENTRYPOINT [ "/usr/bin/nginx" ]
CMD [ "-g", "daemon off;" ]