# -- Build the Go checker binary ------------------------------------------
FROM golang:1.25-alpine AS builder

ARG CHECKER_VERSION=custom-build

WORKDIR /src
COPY go.mod go.sum* ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -tags standalone -ldflags "-X main.Version=${CHECKER_VERSION}" -o /checker-dnsviz .

# -- Runtime image: dnsviz (Python) + checker binary ----------------------
#
# DNSViz is a Python tool. We base on alpine:3.20 and install dnsviz from
# its pip distribution along with the C deps it needs (libcrypto, m2crypto,
# pygraphviz is *not* installed: we only need probe/grok which output JSON).
FROM alpine:3.20

RUN apk add --no-cache \
        python3 \
        py3-pip \
        py3-cryptography \
        py3-dnspython \
        py3-pygraphviz \
        graphviz \
        ca-certificates \
        dnssec-root \
        && pip3 install --no-cache-dir --break-system-packages dnsviz \
        && adduser -D -u 65534 -H -s /sbin/nologin checker || true

COPY --from=builder /checker-dnsviz /usr/local/bin/checker-dnsviz

USER 65534:65534
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD ["/usr/local/bin/checker-dnsviz", "-healthcheck"]
ENTRYPOINT ["/usr/local/bin/checker-dnsviz"]