# Use a base image with necessary tools installed
FROM ubuntu:latest

# Set environment variables
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV TZ Europe/Berlin

# Install necessary packages
RUN apt-get update && \
    apt-get install -y fail2ban ufw unattended-upgrades sbcl mosh tmux git mercurial nginx certbot python3-certbot-nginx libev4 build-essential libsqlite3-dev sqlite3 emacs-nox python3-pip python3-pandas python3-matplotlib && \
    apt-get upgrade -y && \
    apt-get autoremove -y && \
    apt-get clean

# Add users and groups
RUN groupadd nginxgroup && \
    useradd -r -s /usr/sbin/nologin -g nginxgroup nginxuser && \
    useradd -m -s /bin/bash -G users,admin marcus && \
    echo 'marcus ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

# Copy SSH keys
COPY marcus-ssh-keys /home/marcus/.ssh/authorized_keys
RUN chown marcus:marcus /home/marcus/.ssh/authorized_keys && \
    chmod 600 /home/marcus/.ssh/authorized_keys

# Copy configuration files
COPY 20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
COPY sshd_config /etc/ssh/sshd_config
COPY jail.local /etc/fail2ban/jail.local
COPY nginx.conf /etc/nginx/nginx.conf
COPY reverse-proxy.conf /etc/nginx/sites-available/reverse-proxy.conf

# Set up symbolic link for nginx configuration
RUN ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/ && \
    rm /etc/nginx/sites-enabled/default

# Set up Certbot, firewall, and other configurations
RUN certbot certonly --nginx -d u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect && \
    certbot certonly --nginx -d docs.u1.metaebene.dev --non-interactive --agree-tos --email marcus.kammer@mailbox.org --redirect && \
    echo '0 0 1 * * root certbot renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/letsencrypt-auto-renew.log' > /etc/cron.d/letsencrypt-renew && \
    curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/ssl-dhparams.pem && \
    ufw allow 'Nginx Full' && \
    ufw default deny incoming && \
    ufw default allow outgoing && \
    ufw allow 22/tcp && \
    ufw allow mosh && \
    ufw enable && \
    systemctl enable fail2ban && systemctl start fail2ban && \
    systemctl restart sshd

# Set up Git, SBCL, SLIME and Quicklisp for user Marcus
USER marcus
RUN git config --global user.email "marcus.kammer@mailbox.org" && \
    git config --global user.name "Marcus Kammer" && \
    git config --global init.defaultBranch main && \
    git clone --depth 1 --branch sbcl-2.1.11 git://git.code.sf.net/p/sbcl/sbcl /home/marcus/sbcl && \
    git clone --depth 1 --branch v2.28 https://github.com/slime/slime.git /home/marcus/slime && \
    curl https://beta.quicklisp.org/quicklisp.lisp -o /home/marcus/quicklisp.lisp && \
    sbcl --load quicklisp.lisp --non-interactive --eval '(quicklisp-quickstart:install)' --quit && rm quicklisp.lisp && \
    curl https://git.sr.ht/~marcuskammer/cloudinit/blob/main/.sbclrc -o /home/marcus/.sbclrc && \
    sbcl --non-interactive --eval "(ql:quickload '(:hunchentoot :spinneret :dexador :rove :vecto :woo :clsql-sqlite3))" --quit

# Switch back to root user for any further setup
USER root