# syntax=docker/dockerfile:1

# ─── Build stage ───────────────────────────────────────────────────────────────
FROM golang:1.23-alpine AS builder

WORKDIR /build

# Download dependencies first for better layer caching.
COPY go.mod go.sum ./
RUN go mod download

COPY *.go ./
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o traefik-dns-watcher .

# ─── Final stage ───────────────────────────────────────────────────────────────
FROM alpine:3.20

# git      — required for all DNS repo operations
# openssh-client — required for SSH-based git push/pull
# ca-certificates — required for HTTPS git remotes and Traefik API calls
RUN apk add --no-cache git openssh-client ca-certificates \
    && adduser -D -u 1001 appuser

WORKDIR /app
COPY --from=builder /build/traefik-dns-watcher .

# The container runs as a non-root user.
# Required bind-mounts / volumes:
#   /var/run/docker.sock  — Docker events API (read-only is sufficient)
#   /dns-repo             — pre-cloned DNS git repository (DNS_REPO_PATH)
#   /root/.ssh or /home/appuser/.ssh — SSH key for git authentication (if using SSH)
USER appuser

ENTRYPOINT ["/app/traefik-dns-watcher"]