# =========================
# Builder stage
# =========================
FROM golang:1.25-alpine AS builder

RUN apk add --no-cache ca-certificates tzdata

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download

COPY . .

# Version passed from build args
ARG VERSION=dev

# Buildx injects these automatically for multi-arch builds
ARG TARGETOS
ARG TARGETARCH

RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
    go build -trimpath \
    -ldflags "-s -w -X main.version=${VERSION}" \
    -o /app/bin/drip \
    ./cmd/drip

# =========================
# Runtime stage
# =========================
FROM alpine:latest

RUN apk add --no-cache ca-certificates tzdata && \
    update-ca-certificates

WORKDIR /app

COPY --from=builder /etc/ssl/certs /etc/ssl/certs
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /app/bin/drip /app/drip

RUN addgroup -S drip && adduser -S -G drip drip && \
    mkdir -p /app/data/certs && \
    chown -R drip:drip /app

USER drip

ENTRYPOINT ["/app/drip"]
CMD ["server", "-c", "/app/config.yaml"]