ARG PLATFORM=linux/amd64
FROM ubuntu:noble
ENV ZEEK_HOME=/usr/local/zeek
ENV PATH="${ZEEK_HOME}/bin:${PATH}"

USER root

# Install system dependencies
RUN apt-get update && apt-get install -y \
    wget cmake make gcc g++ flex bison libfl-dev libpcap-dev libssl-dev build-essential \
    python3 python3-dev swig zlib1g-dev python3-pip \
    libmaxminddb-dev libnghttp2-dev libbrotli-dev \
    git net-tools iproute2 wget nodejs lshw ethtool nano \
    sendmail cron gettext ca-certificates python3-requests python3-jinja2 python3-yaml \
    libcap2-bin passwd && \
    update-ca-certificates

# Install Python Package Requirements
RUN pip3 install GitPython semantic-version --break-system-packages

# Create user and group
RUN groupadd -g 9000 cyber-user-group && \
    useradd -r -u 9000 -g cyber-user-group -m zeek

# Build Zeek from source
RUN cd /opt && \
    git clone --recursive https://git.leargas.io/pk/zeek && \
    cd zeek && \
    ./configure --prefix=${ZEEK_HOME} && \
    make && \
    make install && \
    ln -s ${ZEEK_HOME} /usr/local/zeek

# Set up directories and permissions
RUN mkdir -p /data/bro/logs /data/bro/spool && \
    chown -R zeek:cyber-user-group /data/bro && \
    mkdir -p ${ZEEK_HOME}/share/zeek/site/scripts/capitalone && \
    mv ${ZEEK_HOME}/etc ${ZEEK_HOME}/etc.bak && \
    mkdir -p ${ZEEK_HOME}/etc

# Install Zeek plugins using zkg
RUN zkg autoconfig --force && \
    zkg install --force https://git.leargas.io/pk/bzar   && \
    zkg install --force https://git.leargas.io/pk/hassh  && \
    zkg install --force https://git.leargas.io/pk/ja3    && \
    zkg install --force https://git.leargas.io/pk/file-extraction && \
    zkg install --force https://git.leargas.io/pk/mdns   && \
    zkg install --force https://git.leargas.io/pk/geoip-conn || true

# Apply raw/net admin capabilities and cleanup
RUN setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeek || true && \
    setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/capstats || true && \
    setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeekctl || true && \
    apt-get remove -y wget && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /opt/zeek

# Copy configuration files
COPY local.zeek ${ZEEK_HOME}/share/zeek/site/local.zeek
COPY zeekctl.cfg ${ZEEK_HOME}/etc/zeekctl.cfg
COPY GeoLite2-City.mmdb /opt/GeoLite2-City.mmdb

# Set permissions on MMDB
RUN chmod 644 /opt/GeoLite2-City.mmdb && \
    chown zeek:cyber-user-group /opt/GeoLite2-City.mmdb

# Final CMD includes NIC offload tuning + Zeek launch
USER root
CMD bash -c '\
  echo "[INFO] Disabling NIC offloading (if interfaces exist)..." && \
  for i in enp0s3 ens33 ens34 ens192 ens160 eth0 eth1 eth4 eth5 br0 enp11s0f1 enp11s0f0 enp10s0f1 enp10s0f0; do \
    if ip link show "$i" &>/dev/null; then \
      echo "[INFO] Tuning $i..." && \
      for n in lro tso gso gro; do \
        /sbin/ethtool -K "$i" "$n" off 2>/dev/null || true; \
      done; \
    fi; \
  done && \
  echo "[INFO] Starting Zeek..." && \
  exec su - zeek -c "zeek --version"'