# syntax=docker/dockerfile:1.7
# Runtime-only hardened image for publish-first local builds.

ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-noble
ARG APP_BINARY=StellaOps.Service
ARG APP_USER=stella
ARG APP_UID=10001
ARG APP_GID=10001
ARG APP_PORT=8080

FROM ${RUNTIME_IMAGE} AS runtime
ARG APP_BINARY=StellaOps.Service
ARG APP_USER=stella
ARG APP_UID=10001
ARG APP_GID=10001
ARG APP_PORT=8080

RUN groupadd -r -g ${APP_GID} ${APP_USER} && \
    useradd  -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER} && \
    mkdir -p /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp && \
    chown -R ${APP_UID}:${APP_GID} /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp

WORKDIR /app
COPY --chown=${APP_UID}:${APP_GID} app/ ./
COPY --chown=${APP_UID}:${APP_GID} healthcheck.sh /usr/local/bin/healthcheck.sh

ENV ASPNETCORE_URLS=http://+:${APP_PORT} \
    DOTNET_EnableDiagnostics=0 \
    COMPlus_EnableDiagnostics=0 \
    APP_BINARY=${APP_BINARY}

RUN chmod 500 /app && \
    chmod +x /usr/local/bin/healthcheck.sh && \
    find /app -maxdepth 1 -type f -name '*.dll' -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type f -name '*.json' -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type f -name '*.pdb' -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type d -exec chmod 500 {} \;

USER ${APP_UID}:${APP_GID}
EXPOSE ${APP_PORT}
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
  CMD /usr/local/bin/healthcheck.sh

ENTRYPOINT ["sh","-c","exec dotnet ./\"$APP_BINARY\".dll"]