FROM golang:1.26-alpine AS build
WORKDIR /src

RUN apk add --no-cache ca-certificates git

COPY go.mod go.sum ./
RUN go mod download

COPY . .

ARG VERSION=dev
RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags="-s -w -X main.version=${VERSION}" \
    -o /out/api ./cmd/api

FROM alpine:3.20 AS runtime
RUN apk add --no-cache ca-certificates tzdata && \
    addgroup -g 1000 app && \
    adduser -D -u 1000 -G app app && \
    # Pre-create the branding-uploads dir with the right ownership.
    # Docker copies this directory's contents + ownership into a
    # named volume on first mount, which is the only way to get the
    # volume owned by UID 1000 without a chmod entrypoint hack.
    mkdir -p /var/lib/guestguard/uploads && \
    chown -R 1000:1000 /var/lib/guestguard

WORKDIR /app
COPY --from=build /out/api /app/api

USER 1000:1000
EXPOSE 8080

ENTRYPOINT ["/app/api"]