# syntax=docker/dockerfile:1.7
#
# mCables — single-stage build → distroless runtime image.
# go.mod requires go 1.25; modernc.org/sqlite is pure Go so CGO_ENABLED=0
# and a distroless/static runtime is all we need.

FROM golang:1.25-alpine AS build
WORKDIR /src

# Cache deps before copying the rest of the source.
COPY go.mod go.sum ./
RUN go mod download

COPY . .

# -trimpath strips local paths from the binary; -s -w drops debug info.
RUN CGO_ENABLED=0 GOOS=linux go build \
        -trimpath \
        -ldflags="-s -w" \
        -o /out/mcables \
        ./cmd/mcables

# Pre-create the runtime data dir with the right owner in the builder
# stage, then COPY it into the distroless final image. Distroless has
# no shell + no mkdir, so this is the canonical pattern for "writable
# subdir under a non-root user".
RUN mkdir -p /out/data && chown -R 1000:1000 /out/data

FROM gcr.io/distroless/static-debian12:nonroot
WORKDIR /app
COPY --from=build /out/mcables /app/mcables
COPY --from=build --chown=1000:1000 /out/data /app/data

ENV MCABLES_ADDR=0.0.0.0:7777 \
    MCABLES_DB=/app/data/mcables.db

EXPOSE 7777
# Run as UID:GID 1000:1000 to match m on mDock — the bind-mounted
# /home/m/stacks/mcables/data is owned by m:m, so the container can
# write to it without chowning the host dir. distroless/static-debian12
# accepts arbitrary numeric UIDs; the Go binary doesn't need a
# /etc/passwd entry.
USER 1000:1000
ENTRYPOINT ["/app/mcables"]
