git.stella-ops.org/ops/devops/docker/Dockerfile.hardened.template

# syntax=docker/dockerfile:1.7
# Hardened multi-stage template for StellaOps services
# Parameters are build-time ARGs so this file can be re-used across services.

ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0-bookworm-slim
ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-bookworm-slim
ARG APP_PROJECT=src/Service/Service.csproj
ARG CONFIGURATION=Release
ARG PUBLISH_DIR=/app/publish
ARG APP_BINARY=StellaOps.Service
ARG APP_USER=stella
ARG APP_UID=10001
ARG APP_GID=10001
ARG APP_PORT=8080

FROM ${SDK_IMAGE} AS build
ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
    DOTNET_NOLOGO=1 \
    SOURCE_DATE_EPOCH=1704067200
WORKDIR /src
# Expect restore sources to be available offline via local-nugets/
COPY . .
RUN dotnet restore ${APP_PROJECT} --packages /src/local-nugets && \
    dotnet publish ${APP_PROJECT} -c ${CONFIGURATION} -o ${PUBLISH_DIR} \
      /p:UseAppHost=true /p:PublishTrimmed=false

FROM ${RUNTIME_IMAGE} AS runtime
# Create non-root user/group with stable ids for auditability
RUN groupadd -r -g ${APP_GID} ${APP_USER} && \
    useradd  -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER} && \
    mkdir -p /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp && \
    chown -R ${APP_UID}:${APP_GID} /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp

WORKDIR /app
COPY --from=build --chown=${APP_UID}:${APP_GID} ${PUBLISH_DIR}/ ./
# Ship healthcheck helper; callers may override with their own script
COPY --chown=${APP_UID}:${APP_GID} ops/devops/docker/healthcheck.sh /usr/local/bin/healthcheck.sh

ENV ASPNETCORE_URLS=http://+:${APP_PORT} \
    DOTNET_EnableDiagnostics=0 \
    DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \
    COMPlus_EnableDiagnostics=0 \
    APP_BINARY=${APP_BINARY}

USER ${APP_UID}:${APP_GID}
EXPOSE ${APP_PORT}
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
  CMD /usr/local/bin/healthcheck.sh

# Harden filesystem; deploys should also set readOnlyRootFilesystem true
RUN chmod 500 /app && \
    find /app -maxdepth 1 -type f -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type d -exec chmod 500 {} \;

# Use shell form so APP_BINARY env can be expanded without duplicating the template per service
ENTRYPOINT ["sh","-c","exec ./\"$APP_BINARY\""]