FROM golang:1.25-alpine AS builder

WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download

COPY . .

ARG VERSION=dev
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}" -o /mcr-web ./cmd/mcr-web

FROM alpine:3.21

RUN apk add --no-cache ca-certificates tzdata \
    && addgroup -S mcr \
    && adduser -S -G mcr -h /srv/mcr -s /sbin/nologin mcr \
    && mkdir -p /srv/mcr && chown mcr:mcr /srv/mcr

COPY --from=builder /mcr-web /usr/local/bin/mcr-web

# /srv/mcr is the single volume mount point.
# It must contain:
#   mcr.toml   — configuration file
#   certs/     — TLS certificate and key
VOLUME /srv/mcr
WORKDIR /srv/mcr

EXPOSE 8080

USER mcr

ENTRYPOINT ["mcr-web"]
CMD ["server", "--config", "/srv/mcr/mcr.toml"]