FROM golang:1.25-alpine AS builder

ARG VERSION=dev

RUN apk add --no-cache git

WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}" -o mcns ./cmd/mcns

FROM alpine:3.21

RUN apk add --no-cache ca-certificates tzdata \
    && addgroup -S mcns \
    && adduser -S -G mcns -h /srv/mcns -s /sbin/nologin mcns \
    && mkdir -p /srv/mcns && chown mcns:mcns /srv/mcns

COPY --from=builder /build/mcns /usr/local/bin/mcns

# /srv/mcns is the single volume mount point.
# It must contain:
#   mcns.toml  — configuration file
#   certs/     — TLS certificate and key
#   mcns.db    — created automatically on first run
VOLUME /srv/mcns
WORKDIR /srv/mcns

EXPOSE 53/udp 53/tcp
EXPOSE 8443
EXPOSE 9443

USER mcns

ENTRYPOINT ["mcns"]
CMD ["server", "--config", "/srv/mcns/mcns.toml"]