metacrypt/Dockerfile

FROM golang:1.23-alpine AS builder

RUN apk add --no-cache gcc musl-dev

WORKDIR /build
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /metacrypt ./cmd/metacrypt

FROM alpine:3.21

RUN apk add --no-cache ca-certificates tzdata \
    && addgroup -S metacrypt \
    && adduser -S -G metacrypt -h /srv/metacrypt -s /sbin/nologin metacrypt \
    && mkdir -p /srv/metacrypt && chown metacrypt:metacrypt /srv/metacrypt

COPY --from=builder /metacrypt /usr/local/bin/metacrypt
COPY web/ /srv/metacrypt/web/

# /srv/metacrypt is the single volume mount point.
# It must contain:
#   metacrypt.toml  — configuration file
#   certs/          — TLS certificate and key
#   metacrypt.db    — created automatically on first run
VOLUME /srv/metacrypt
WORKDIR /srv/metacrypt

EXPOSE 8443

USER metacrypt

ENTRYPOINT ["metacrypt"]
CMD ["server", "--config", "/srv/metacrypt/metacrypt.toml"]