# Production Dockerfile for Stream Server
# Optimized for smaller size and security

# Build stage
FROM rust:1.84-alpine AS builder

WORKDIR /app

# Install build dependencies
RUN apk add --no-cache musl-dev ca-certificates

# Copy Cargo files first for better caching
COPY Cargo.toml Cargo.lock ./

# Fetch dependencies (this layer will be cached if Cargo.toml/Cargo.lock don't change)
RUN cargo fetch --locked

# Copy source code
COPY src ./src
COPY migrations ./migrations
COPY build.rs ./

# Build the application with optimizations
# - --locked: ensures reproducible builds
# - --target x86_64-unknown-linux-musl: static binary for alpine
# - Strip symbols in release profile (configured in Cargo.toml)
RUN cargo build --release --locked --target x86_64-unknown-linux-musl && \
    # Strip the binary to reduce size
    strip /app/target/x86_64-unknown-linux-musl/release/stream_server

# Runtime stage - minimal alpine
FROM alpine:3.21

# Install only runtime dependencies
RUN apk --no-cache add ca-certificates tzdata && \
    # Add wget for health checks
    apk --no-cache add wget && \
    # Clean up apk cache
    rm -rf /var/cache/apk/*

# Create non-root user for security
RUN addgroup -g 1001 -S app && \
    adduser -S app -u 1001 -G app -h /app -s /bin/sh

# Set working directory
WORKDIR /app

# Copy binary from builder
COPY --from=builder --chown=app:app /app/target/x86_64-unknown-linux-musl/release/stream_server /app/stream_server

# Copy migrations from builder
COPY --from=builder --chown=app:app /app/migrations ./migrations

# Switch to app user
USER app

# Expose port
EXPOSE 8082

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://localhost:8082/health || exit 1

# Run the application
ENTRYPOINT ["./stream_server"]