# syntax=docker/dockerfile:1.7

FROM golang:1.25-alpine AS builder

WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /out/lethe ./cmd/lethe

FROM gcr.io/distroless/static-debian12:nonroot

WORKDIR /app
COPY --from=builder /out/lethe /app/lethe

# Server binds 127.0.0.1 inside the container; expose only on the compose
# network. The reverse proxy on the host is the public surface.
EXPOSE 8080

ENTRYPOINT ["/app/lethe"]
CMD ["-config", "/config.yaml"]