# Multi-stage build for security
FROM golang:1.21-alpine AS builder

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN CGO_ENABLED=1 GOOS=linux go build -a -installsuffix cgo -o honeypot main.go

# Final minimal image
FROM alpine:3.18

# Create non-root user
RUN addgroup -g 1001 honeypot && \
    adduser -D -s /bin/sh -u 1001 -G honeypot honeypot

# Install minimal dependencies
RUN apk --no-cache add ca-certificates sqlite

WORKDIR /app

# Copy binary and set ownership
COPY --from=builder /app/honeypot .
COPY --from=builder /app/app/templates ./app/templates
RUN chown -R honeypot:honeypot /app

# Create restricted directories
RUN mkdir -p /app/data /app/logs && \
    chown honeypot:honeypot /app/data /app/logs

# Switch to non-root user
USER honeypot

# Expose only necessary ports
EXPOSE 6333

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD wget --no-verbose --tries=1 --spider http://localhost:6333/ || exit 1

ENTRYPOINT ["./honeypot"]
