FROM golang:1.24-alpine AS builder

RUN apk add --no-cache git make libpcap-dev gcc musl-dev linux-headers

WORKDIR /build

# Copy workspace and shared module first (better caching)
COPY go.work go.work.sum* ./
COPY shared/go/ja4common/ ./shared/go/ja4common/
COPY services/sentinel/go.mod services/sentinel/go.sum* ./services/sentinel/
COPY services/correlator/go.mod services/correlator/go.sum* ./services/correlator/

WORKDIR /build/services/sentinel
RUN go mod download || true

COPY services/sentinel/ /build/services/sentinel/

ARG VERSION=dev
ARG BUILD_TIME=unknown
ARG GIT_COMMIT=unknown

RUN mkdir -p dist && \
    CGO_ENABLED=1 GOOS=linux GOARCH=amd64 \
    CGO_LDFLAGS="-Wl,-Bstatic -lpcap -Wl,-Bdynamic" \
    go build -buildvcs=false \
    -ldflags "-X main.Version=${VERSION} -X main.BuildTime=${BUILD_TIME} -X main.GitCommit=${GIT_COMMIT}" \
    -o dist/sentinel ./cmd/ja4sentinel

FROM alpine:latest
RUN apk add --no-cache ca-certificates
RUN addgroup -S sentinel && adduser -S sentinel -G sentinel
RUN mkdir -p /var/lib/sentinel /var/run /etc/sentinel /var/log/sentinel
COPY --from=builder /build/services/sentinel/dist/sentinel /usr/local/bin/sentinel
RUN chown -R sentinel:sentinel /var/lib/sentinel /var/log/sentinel
USER sentinel
WORKDIR /var/lib/sentinel
ENTRYPOINT ["/usr/local/bin/sentinel"]