metacrypt/Dockerfile

FROM golang:1.23-alpine AS builder

RUN apk add --no-cache gcc musl-dev

WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /metacrypt ./cmd/metacrypt

FROM alpine:3.21

RUN apk add --no-cache ca-certificates tzdata \
    && addgroup -S metacrypt \
    && adduser -S -G metacrypt -h /metacrypt -s /sbin/nologin metacrypt

COPY --from=builder /metacrypt /usr/local/bin/metacrypt
COPY web/ /metacrypt/web/

# /data is the single volume mount point.
# It must contain:
#   metacrypt.toml  — configuration file
#   certs/          — TLS certificate and key
#   metacrypt.db    — created automatically on first run
VOLUME /data
WORKDIR /data

EXPOSE 8443

USER metacrypt

ENTRYPOINT ["metacrypt"]
CMD ["server", "--config", "/data/metacrypt.toml"]