# ICAP scanner. Ubuntu base because Debian's c-icap ships without
# bundled modules and squidclamav was removed from both archives.
# Signature reload is wired up via entrypoint.sh's reload-watcher,
# which writes ``clamav:dbreload`` to c-icap's command FIFO whenever
# freshclam swaps in newer sig files. See docker/clamav-icap/README.md
# for the design rationale.
FROM ubuntu:24.04

ENV DEBIAN_FRONTEND=noninteractive

# Free UID 1000 so the ``clamav`` package user can claim it (stable
# owner for the persistent ``/var/lib/clamav`` volume across rebuilds).
RUN userdel -r ubuntu

RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        c-icap \
        libc-icap-mod-virus-scan \
        clamav-freshclam \
        ca-certificates \
        curl \
    && rm -rf /var/lib/apt/lists/*

RUN install -d -o clamav -g clamav -m 0755 /var/lib/clamav

COPY c-icap.conf /etc/c-icap/c-icap.conf
COPY freshclam.conf /etc/clamav/freshclam.conf
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

EXPOSE 1344

# Echo service liveness only (returns 200 even before sigs are loaded).
HEALTHCHECK --interval=30s --timeout=5s --start-period=600s --retries=3 \
    CMD c-icap-client -i 127.0.0.1 -p 1344 -s echo -no204 >/dev/null 2>&1 || exit 1

ENTRYPOINT ["/entrypoint.sh"]
