# -----------------------------------------------------------------------
# Stage 1: Build
# -----------------------------------------------------------------------
FROM golang:1.26-alpine AS builder

WORKDIR /build

# Copy module files first for layer caching
COPY go.mod ./
RUN go mod download

# Copy source
COPY . .

# Build a static binary (no CGO, no external dependencies)
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
    go build -ldflags="-s -w" -o crowdsec-dashy ./cmd/server

# -----------------------------------------------------------------------
# Stage 2: Minimal runtime image
# -----------------------------------------------------------------------
FROM alpine:3.19

# Install ca-certificates for HTTPS LAPI connections
RUN apk --no-cache add ca-certificates tzdata

WORKDIR /app

# Copy binary (web assets embedded at build time)
COPY --from=builder /build/crowdsec-dashy .

# Non-root user for security
RUN addgroup -S csui && adduser -S csui -G csui && \
    mkdir -p /app/config && chown csui:csui /app/config
USER csui

EXPOSE 8080

# All settings live in app_config.conf (auto-generated on first run).
# CONFIG_FILE tells the app where to look — set in docker-compose.yml.
ENV CONFIG_FILE=/app/config/app_config.conf

ENTRYPOINT ["/app/crowdsec-dashy"]
