# Multi-stage build for SecretumVault
# Stage 1: Builder
FROM rust:1.82 as builder

WORKDIR /build

# Install dependencies
RUN apt-get update && apt-get install -y \
    libssl-dev \
    pkg-config \
    && rm -rf /var/lib/apt/lists/*

# Copy manifests
COPY Cargo.toml Cargo.lock ./

# Copy source code
COPY src ./src

# Build with all features
RUN cargo build --release --features "server cli surrealdb-storage etcd-storage postgresql-storage aws-lc pqc cedar"

# Stage 2: Runtime
FROM debian:bookworm-slim

WORKDIR /app

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    libssl3 \
    ca-certificates \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy binary from builder
COPY --from=builder /build/target/release/svault /usr/local/bin/svault

# Create vault user
RUN useradd -m -u 1000 vault && chown -R vault:vault /app

USER vault

# Default config path
ENV VAULT_CONFIG=/etc/secretumvault/svault.toml

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
    CMD curl -f http://localhost:8200/v1/sys/health || exit 1

# Expose ports
EXPOSE 8200 9090

# Default command
ENTRYPOINT ["svault"]
CMD ["server", "--config", "${VAULT_CONFIG}"]