# Production runtime image for ja4sentinel
# Based on architecture.yml ci_cd.docker.images.ja4sentinel-runtime

# Build stage
FROM golang:1.24-alpine AS builder

# Install build dependencies
RUN apk add --no-cache \
    git \
    make \
    libpcap-dev \
    gcc \
    musl-dev \
    linux-headers

WORKDIR /app

# Copy go mod files
COPY go.mod go.sum* ./

# Download dependencies
RUN go mod download || true

# Copy source code
COPY . .

# Build binary
ARG VERSION=dev
ARG BUILD_TIME=unknown
ARG GIT_COMMIT=unknown

RUN mkdir -p dist && \
    CGO_ENABLED=1 GOOS=linux go build -buildvcs=false \
    -ldflags "-X main.Version=${VERSION} -X main.BuildTime=${BUILD_TIME} -X main.GitCommit=${GIT_COMMIT}" \
    -o dist/ja4sentinel ./cmd/ja4sentinel

# Runtime stage
FROM alpine:latest

# Install runtime dependencies (libpcap for packet capture)
RUN apk add --no-cache \
    libpcap \
    ca-certificates

# Create non-root user for security
RUN addgroup -S ja4sentinel && adduser -S ja4sentinel -G ja4sentinel

# Create necessary directories
RUN mkdir -p /var/lib/ja4sentinel /var/run /etc/ja4sentinel /var/log/ja4sentinel

# Copy binary from build stage
COPY --from=builder /app/dist/ja4sentinel /usr/local/bin/ja4sentinel

# Set ownership
RUN chown -R ja4sentinel:ja4sentinel /var/lib/ja4sentinel /var/log/ja4sentinel

# Switch to non-root user
USER ja4sentinel

# Working directory
WORKDIR /var/lib/ja4sentinel

# Default command
ENTRYPOINT ["/usr/local/bin/ja4sentinel"]