# Build stage
FROM rust:1-bookworm AS builder
WORKDIR /build
COPY . .
RUN cargo build --release -p bascule-server

# Runtime stage
FROM debian:bookworm-slim
RUN apt-get update \
    && apt-get install -y --no-install-recommends \
       ca-certificates \
       openssh-client \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /build/target/release/bascule /usr/local/bin/bascule
RUN chmod +x /usr/local/bin/bascule

# Create non-root user
RUN useradd -r -s /usr/sbin/nologin bascule

# Config, keys, and host key directories
RUN mkdir -p /etc/bascule/keys /var/lib/bascule \
    && chown -R bascule:bascule /etc/bascule /var/lib/bascule

USER bascule
EXPOSE 2222
ENTRYPOINT ["bascule"]
CMD ["--config", "/etc/bascule/config.toml"]
