#!/bin/bash
set -e

both() {
    "$@" builder
    "$@" final
}

source=quay.io/keycloak/keycloak:latest
buildah from -q --name builder --pull=newer $source >/dev/null
buildah from -q --name final $source >/dev/null

buildah config -l - -e - -a - -p - final
buildah config \
    -e PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin" \
    -e KC_HTTPS_CLIENT_AUTH=request \
    builder
buildah config \
    -e KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de" \
    -e KC_HOSTNAME_URL="https://sso.sebastian-tobie.de" \
    -e KC_DB_USERNAME=keycloak \
    -e KC_DB_PASSWORD=changeme \
    -e KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak \
    -e KEYCLOAK_ADMIN="admin" \
    -e KEYCLOAK_ADMIN_PASSWORD="admin" \
    -p 8080/tcp \
    -u keycloak:keycloak \
    --entrypoint "[\"kc.sh\", \"start\", \"--optimized\", \"--http-enabled\", \"true\", \"--proxy\", \"edge\", \"--log-console-format\", \"'%-5p [%c] (%t) %s%e%n'\", \"--hostname-strict-backchannel=true\"]" \
    final

buildah run -- builder kc.sh build --db=postgres --metrics-enabled=true --https-client-auth request --features web-authn,passkeys,persistent-user-sessions,recovery-codes --features-disabled kerberos,docker,ciba,fips

buildah copy --from builder --chown root:root final /opt/keycloak/ /opt/keycloak/
buildah rm builder
buildah commit --squash -q -f oci --rm final dir:image