# SOGo built from source to enable security patch application
# Repository: https://github.com/Alinto/sogo
# Version: SOGo-5.12.4
#
# Applied security patches:
# - 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb: XSS vulnerability in theme parameter
#
# To add new patches, modify SOGO_SECURITY_PATCHES ARG below with space-separated commit hashes

FROM debian:bookworm

LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

ARG DEBIAN_FRONTEND=noninteractive
ARG SOGO_VERSION=SOGo-5.12.4
ARG SOPE_VERSION=SOPE-5.12.4
# Security patches to apply (space-separated commit hashes)
ARG SOGO_SECURITY_PATCHES="16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb"
# renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
ARG GOSU_VERSION=1.19
ENV LC_ALL=C

# Install all dependencies (build + runtime)
RUN apt-get update && apt-get install -y --no-install-recommends \
    # Build dependencies
    git \
    build-essential \
    gobjc \
    gnustep-make \
    gnustep-base-runtime \
    libgnustep-base-dev \
    libxml2-dev \
    libldap2-dev \
    libssl-dev \
    zlib1g-dev \
    libpq-dev \
    libmariadb-dev-compat \
    libmemcached-dev \
    libsodium-dev \
    libcurl4-openssl-dev \
    libzip-dev \
    libytnef0-dev \
    curl \
    ca-certificates \
    # Runtime dependencies
    apt-transport-https \
    gettext \
    gnupg \
    mariadb-client \
    rsync \
    supervisor \
    syslog-ng \
    syslog-ng-core \
    syslog-ng-mod-redis \
    dirmngr \
    netcat-traditional \
    psmisc \
    wget \
    patch \
    libobjc4 \
    libxml2 \
    libldap-2.5-0 \
    libssl3 \
    zlib1g \
    libmariadb3 \
    libmemcached11 \
    libsodium23 \
    libcurl4 \
    libzip4 \
    libytnef0 \
  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
  && chmod +x /usr/local/bin/gosu \
  && gosu nobody true \
  && mkdir -p /usr/share/doc/sogo \
  && touch /usr/share/doc/sogo/empty.sh \
  && apt-get autoclean \
  && rm -rf /var/lib/apt/lists/* \
  && touch /etc/default/locale

# Build SOPE (SOGo's framework dependency)
RUN git clone --depth 1 --branch ${SOPE_VERSION} https://github.com/Alinto/sope.git /tmp/sope \
  && cd /tmp/sope \
  && . /usr/share/GNUstep/Makefiles/GNUstep.sh \
  && ./configure --prefix=/usr --enable-debug \
  && make -j$(nproc) \
  && make install \
  && cd / \
  && rm -rf /tmp/sope

# Build SOGo with security patches
RUN git clone --depth 1 --branch ${SOGO_VERSION} https://github.com/Alinto/sogo.git /tmp/sogo \
  && cd /tmp/sogo \
  && git config user.email "builder@mailcow.local" \
  && git config user.name "SOGo Builder" \
  && for patch in ${SOGO_SECURITY_PATCHES}; do \
       echo "Applying security patch: ${patch}"; \
       git fetch origin ${patch} && git cherry-pick ${patch}; \
     done \
  && . /usr/share/GNUstep/Makefiles/GNUstep.sh \
  && ./configure --enable-debug \
  && make \
  && make install \
  && cd / \
  && rm -rf /tmp/sogo

# Configure library paths
RUN echo "/usr/lib64" > /etc/ld.so.conf.d/sogo.conf \
  && echo "/usr/local/lib/sogo" >> /etc/ld.so.conf.d/sogo.conf \
  && echo "/usr/local/lib/GNUstep/Frameworks/SOGo.framework/Versions/5/sogo" >> /etc/ld.so.conf.d/sogo.conf \
  && ldconfig

# Create sogo user and group
RUN groupadd -r -g 999 sogo \
  && useradd -r -u 999 -g sogo -d /var/lib/sogo -s /bin/bash -c "SOGo Daemon" sogo \
  && mkdir -p /var/lib/sogo /var/run/sogo /var/log/sogo \
  && chown -R sogo:sogo /var/lib/sogo /var/run/sogo /var/log/sogo

# Create symlinks for SOGo binaries
RUN ln -s /usr/local/sbin/sogod /usr/sbin/sogod \
  && ln -s /usr/local/sbin/sogo-tool /usr/sbin/sogo-tool \
  && ln -s /usr/local/sbin/sogo-ealarms-notify /usr/sbin/sogo-ealarms-notify \
  && ln -s /usr/local/sbin/sogo-slapd-sockd /usr/sbin/sogo-slapd-sockd

# Copy configuration files and scripts
COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
COPY supervisord.conf /etc/supervisor/supervisord.conf
COPY acl.diff /acl.diff
COPY navMailcowBtns.diff /navMailcowBtns.diff
COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
COPY docker-entrypoint.sh /

RUN chmod +x /bootstrap-sogo.sh \
  /usr/local/sbin/stop-supervisor.sh

ENTRYPOINT ["/docker-entrypoint.sh"]

CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
