FROM node:20

# Security: Drop all capabilities
USER root
RUN apt-get update && apt-get install -y libcap2-bin && \
  setcap cap_net_bind_service=+ep /usr/local/bin/node

WORKDIR /code

COPY package*.json ./

RUN npm install

COPY . .

RUN npm run build

RUN useradd -m sboxuser
RUN mkdir projects && chown -R sboxuser:sboxuser projects

# todo user namespace mapping

RUN apt-get install -y firejail
# RUN echo "noblacklist /code/projects\nprivate-bin node\nwhitelist /code/projects\n" > /etc/firejail/sboxuser.profile

# RUN echo '#!/bin/bash\nexec firejail --private=/projects --noprofile node dist/index.js' > /start.sh
RUN echo '#!/bin/bash\nexec firejail --private=/code/projects --noprofile --net=none --whitelist=/code/projects node dist/index.js' > /start.sh
RUN chmod +x /start.sh

USER sboxuser

EXPOSE 8000
EXPOSE 4000

CMD ["/start.sh"]