# syntax=docker/dockerfile:1

ARG BINARY
ARG TARGETARCH

# ==========================
# Stage: minimal
# ==========================
FROM debian:12-slim AS minimal

ARG TARGETARCH
ARG BINARY

RUN set -eux; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
        binutils \
        curl \
        xz-utils \
        ca-certificates; \
    rm -rf /var/lib/apt/lists/*; \
    \
    case "${TARGETARCH}" in \
        amd64) UPX_ARCH="amd64" ;; \
        arm64) UPX_ARCH="arm64" ;; \
        *) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
    esac; \
    \
    curl -fL \
        --retry 5 \
        --retry-delay 3 \
        --connect-timeout 10 \
        --max-time 120 \
        -o /tmp/upx.tar.xz \
        "https://github.com/telemt/telemt/releases/download/toolchains/upx-${UPX_ARCH}_linux.tar.xz"; \
    \
    tar -xf /tmp/upx.tar.xz -C /tmp; \
    install -m 0755 /tmp/upx*/upx /usr/local/bin/upx; \
    rm -rf /tmp/upx*

COPY ${BINARY} /telemt

RUN set -eux; \
    test -f /telemt; \
    strip --strip-unneeded /telemt || true; \
    upx --best --lzma /telemt || true

# ==========================
# Debug image
# ==========================
FROM debian:12-slim AS debug

RUN set -eux; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
        ca-certificates \
        tzdata \
        curl \
        iproute2 \
        busybox; \
    rm -rf /var/lib/apt/lists/*

WORKDIR /app

COPY --from=minimal /telemt /app/telemt
COPY config.toml /app/config.toml

EXPOSE 443 9090 9091

ENTRYPOINT ["/app/telemt"]
CMD ["config.toml"]

# ==========================
# Production (distroless, for static MUSL binary)
# ==========================
FROM gcr.io/distroless/static-debian12 AS prod

WORKDIR /app

COPY --from=minimal /telemt /app/telemt
COPY config.toml /app/config.toml

USER nonroot:nonroot

EXPOSE 443 9090 9091

ENTRYPOINT ["/app/telemt"]
CMD ["config.toml"]