FROM golang:1.25-alpine AS builder

RUN apk add --no-cache git
WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download

COPY . .

ARG VERSION=dev
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}" -o /mcrsrv ./cmd/mcrsrv

FROM alpine:3.21

RUN apk add --no-cache ca-certificates tzdata \
    && addgroup -S mcr \
    && adduser -S -G mcr -h /srv/mcr -s /sbin/nologin mcr \
    && mkdir -p /srv/mcr && chown mcr:mcr /srv/mcr

COPY --from=builder /mcrsrv /usr/local/bin/mcrsrv

# /srv/mcr is the single volume mount point.
# It must contain:
#   mcr.toml   — configuration file
#   certs/     — TLS certificate and key
#   layers/    — blob storage
#   uploads/   — in-progress uploads (same filesystem as layers/)
#   mcr.db     — created automatically on first run
VOLUME /srv/mcr
WORKDIR /srv/mcr

EXPOSE 8443
EXPOSE 9443

USER mcr

ENTRYPOINT ["mcrsrv"]
CMD ["server", "--config", "/srv/mcr/mcr.toml"]