FROM debian:bookworm-slim

# Avoid interactive prompts
ENV DEBIAN_FRONTEND=noninteractive

# Update and install Swiss Army Knife tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    curl \
    wget \
    git \
    jq \
    unzip \
    tar \
    vim-nox \
    nano \
    python3 \
    python3-pip \
    python3-venv \
    python3-full \
    build-essential \
    iputils-ping \
    dnsutils \
    net-tools \
    ffmpeg \
    openssh-server \
    openssh-client \
    sshpass \
    ripgrep \
    ncdu \
    sudo \
    tree \
    tmux \
    htop \
    strace \
    file \
    less \
    && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
    && apt-get install -y nodejs \
    && rm -rf /var/lib/apt/lists/*

# Install yq (v4.x)
RUN YQ_VERSION="v4.40.5" && \
    wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 -O /usr/bin/yq && \
    chmod +x /usr/bin/yq

# Install OpenShift CLI (oc)
RUN OC_VERSION="stable" && \
    wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz -O /tmp/oc.tar.gz && \
    tar -xvf /tmp/oc.tar.gz -C /usr/bin/ oc && \
    rm /tmp/oc.tar.gz && chmod +x /usr/bin/oc

# Install Python tools for LLM work
RUN pip3 install --no-cache-dir --break-system-packages \
    httpie \
    pyyaml \
    requests \
    black \
    ipython

# Setup SSH directory & Config for OpenShift (Random UID support)
RUN mkdir -p /var/run/sshd && \
    chmod 775 /var/run/sshd

# Custom sshd_config for non-root usage
# StrictModes no: Required for non-root / random UID environments
# PidFile: Point to /tmp for guaranteed write access
RUN printf "Port 2222\n\
PermitRootLogin no\n\
PasswordAuthentication no\n\
PubkeyAuthentication yes\n\
StrictModes no\n\
PidFile /tmp/sshd.pid\n\
HostKey /data/ssh/ssh_host_rsa_key\n\
HostKey /data/ssh/ssh_host_ecdsa_key\n\
HostKey /data/ssh/ssh_host_ed25519_key\n\
AuthorizedKeysFile .ssh/authorized_keys\n\
ChallengeResponseAuthentication no\n\
UsePAM no\n\
Subsystem sftp /usr/lib/openssh/sftp-server\n" > /etc/ssh/sshd_config

# Create a user 'claw' (UID 1000) with sudo access
RUN useradd -m -s /bin/bash -u 1000 claw && \
    echo "claw ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
    chmod -R g+rwX /home/claw

# Prepare volume mount point
# Mount persistent storage here
VOLUME /data
RUN mkdir -p /data /data/.cache/pip /data/.cache/npm /data/.local && \
    chown -R claw:claw /data && \
    chmod -R 775 /data

# Set working directory to the persistent volume
WORKDIR /data

# Expose SSH port (non-privileged)
EXPOSE 2222

# Switch to user 'claw' (UID 1000)
USER claw

# Link package managers to persistent storage
ENV PIP_CACHE_DIR=/data/.cache/pip
ENV npm_config_cache=/data/.cache/npm
ENV XDG_CACHE_HOME=/data/.cache

# Add better default shell experience
RUN echo 'export PS1="\[\e[32m\]\u@clawdbox\[\e[m\]:\[\e[34m\]\w\[\e[m\]\$ "' >> /home/claw/.bashrc && \
    echo 'alias ll="ls -lah"' >> /home/claw/.bashrc && \
    echo 'alias k="kubectl"' >> /home/claw/.bashrc && \
    echo 'alias dc="docker"' >> /home/claw/.bashrc && \
    echo 'export HISTFILE=/data/.bash_history' >> /home/claw/.bashrc && \
    echo 'export HISTSIZE=10000' >> /home/claw/.bashrc && \
    echo 'export HISTFILESIZE=10000' >> /home/claw/.bashrc

# Start SSH daemon
# The keys are generated if they don't exist on the persistent volume
CMD ["/bin/bash", "-c", "\
mkdir -p /data/ssh && \
for keytype in rsa ecdsa ed25519; do \
    if [ ! -f /data/ssh/ssh_host_${keytype}_key ]; then \
        echo \"Generating persistent host ${keytype} key...\"; \
        ssh-keygen -q -f /data/ssh/ssh_host_${keytype}_key -N '' -t ${keytype}; \
    fi; \
done && \
chmod 600 /data/ssh/ssh_host_*_key && \
if [ -f /data/.gitconfig ]; then ln -sf /data/.gitconfig ~/.gitconfig; fi && \
/usr/sbin/sshd -D -e -f /etc/ssh/sshd_config"]