routewatch/Dockerfile

# Build stage
FROM golang:1.24-bookworm AS builder

# Install build dependencies (zstd for archive, gcc for CGO/sqlite3)
RUN apt-get update && apt-get install -y --no-install-recommends \
    zstd \
    gcc \
    libc6-dev \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /src

# Copy everything
COPY . .

# Vendor dependencies (must be after copying source)
RUN go mod download && go mod vendor

# Build the binary with CGO enabled (required for sqlite3)
RUN CGO_ENABLED=1 GOOS=linux go build -o /routewatch ./cmd/routewatch

# Create source archive with vendored dependencies
RUN tar --zstd -cf /routewatch-source.tar.zst \
    --exclude='.git' \
    --exclude='*.tar.zst' \
    .

# Runtime stage
FROM debian:bookworm-slim

# Install runtime dependencies
# - ca-certificates: for HTTPS connections
# - curl: for health checks
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN useradd -r -u 1000 -m routewatch

RUN mkdir -p /var/lib/berlin.sneak.app.routewatch && chown routewatch:routewatch /var/lib/berlin.sneak.app.routewatch

RUN mkdir /app
WORKDIR /app

# Copy binary and source archive from builder
COPY --from=builder /routewatch /app/routewatch
COPY --from=builder /routewatch-source.tar.zst /app/source/routewatch-source.tar.zst

# Set ownership
RUN chown -R routewatch:routewatch /app

ENV XDG_DATA_HOME=/var/lib

# Expose HTTP port
EXPOSE 8080

COPY ./entrypoint.sh /entrypoint.sh

# Health check using the health endpoint
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD curl -sf http://localhost:8080/.well-known/healthcheck.json || exit 1

ENTRYPOINT ["/bin/bash", "/entrypoint.sh" ]