git.stella-ops.org/devops/docker/Dockerfile.hardened.template

# Hardened multi-stage template for StellaOps services
# Parameters are build-time ARGs so this file can be re-used across services.

ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0-noble
ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-noble
ARG APP_PROJECT=src/Service/Service.csproj
ARG CONFIGURATION=Release
ARG PUBLISH_DIR=/app/publish
ARG APP_BINARY=StellaOps.Service
ARG APP_USER=stella
ARG APP_UID=10001
ARG APP_GID=10001
ARG APP_PORT=8080

FROM ${SDK_IMAGE} AS build
ARG APP_PROJECT
ARG CONFIGURATION
ARG PUBLISH_DIR
ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
    DOTNET_NOLOGO=1 \
    SOURCE_DATE_EPOCH=1704067200
WORKDIR /src
# Expect restore sources to be available offline via /.nuget/
COPY . .
RUN dotnet restore ${APP_PROJECT} && \
    dotnet publish ${APP_PROJECT} -c ${CONFIGURATION} -o ${PUBLISH_DIR} \
      /p:UseAppHost=true /p:PublishTrimmed=false

FROM ${RUNTIME_IMAGE} AS runtime
ARG APP_USER=stella
ARG APP_UID=10001
ARG APP_GID=10001
ARG APP_PORT=8080
ARG APP_BINARY=StellaOps.Service
ARG PUBLISH_DIR=/app/publish
# Install GSSAPI/Kerberos client library required by Npgsql for GSSAPI-capable
# PostgreSQL connections. Even when password auth is used, Npgsql probes for this
# library on startup. Sovereign deployments may enable Kerberos-protected Postgres.
RUN apt-get update && \
    apt-get install -y --no-install-recommends libgssapi-krb5-2 && \
    rm -rf /var/lib/apt/lists/*
# Create non-root user/group with stable ids for auditability
RUN groupadd -r -g ${APP_GID} ${APP_USER} && \
    useradd  -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER} && \
    mkdir -p /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp && \
    chown -R ${APP_UID}:${APP_GID} /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp

WORKDIR /app
COPY --from=build --chown=${APP_UID}:${APP_GID} ${PUBLISH_DIR}/ ./
# Ship healthcheck helper; callers may override with their own script
COPY --chown=${APP_UID}:${APP_GID} devops/docker/healthcheck.sh /usr/local/bin/healthcheck.sh

ENV ASPNETCORE_URLS=http://+:${APP_PORT} \
    DOTNET_EnableDiagnostics=0 \
    COMPlus_EnableDiagnostics=0 \
    APP_BINARY=${APP_BINARY}

# Harden filesystem; deploys should also set readOnlyRootFilesystem true
# Keep the native AppHost binary (+x) and DLLs read-only (400)
RUN chmod 500 /app && \
    chmod +x /usr/local/bin/healthcheck.sh && \
    find /app -maxdepth 1 -type f -name '*.dll' -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type f -name '*.json' -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type f -name '*.pdb' -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type d -exec chmod 500 {} \; && \
    chmod 500 /app/${APP_BINARY} 2>/dev/null || true

USER ${APP_UID}:${APP_GID}
EXPOSE ${APP_PORT}
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
  CMD /usr/local/bin/healthcheck.sh

# Use shell form so APP_BINARY env can be expanded without duplicating the template per service
ENTRYPOINT ["sh","-c","exec ./\"$APP_BINARY\""]