# syntax=docker/dockerfile:1

# ---------------------------------------------------------------------------
# Build stage: install adbhoneypot and its dependencies.
# The -dev variant has pip and build tools; the runtime variant does not.
# ---------------------------------------------------------------------------
FROM dhi.io/python:3-dev AS builder

ARG VERSION
ARG PLUGINS=all

# Install adbhoneypot (and selected plugin dependencies) into a prefix that
# we can copy wholesale into the runtime stage.
RUN pip install --prefix=/install --prefer-binary \
    "adbhoneypot==${VERSION}${PLUGINS:+[${PLUGINS}]}"

# ---------------------------------------------------------------------------
# Runtime stage: minimal hardened image, no shell, no package manager.
#
# SECURITY NOTE: Running this container requires the host user to be a member
# of the 'docker' group, which grants effective root access on the host.
# This negates the benefit of running the honeypot as a restricted user.
# Consider using Podman instead, which does not require privileged access:
#   https://podman.io/
# ---------------------------------------------------------------------------
FROM dhi.io/python:3

ARG VERSION
LABEL maintainer="Bontchev"
LABEL name="adbhoneypot"
LABEL version="${VERSION}"

# Copy the installed packages from the build stage
COPY --from=builder /install /usr/local

# Run as a non-root user inside the container.
# Note: this does not mitigate the host-level docker group privilege issue
# described above, but it limits post-exploitation options inside the container.
RUN useradd --no-create-home --shell /bin/false adbhoneypot

EXPOSE 5555

# Scaffold the working directory and hand ownership to the non-root user.
WORKDIR /adbhoneypot
RUN adbhoneypot init && chown -R adbhoneypot:adbhoneypot /adbhoneypot

USER adbhoneypot

# Mount your honeypot.cfg and GeoLite2 databases at runtime, e.g.:
#
#   docker run \
#     -v /path/to/honeypot.cfg:/adbhoneypot/etc/honeypot.cfg \
#     -v /path/to/data:/adbhoneypot/data \
#     -v /path/to/dl:/adbhoneypot/dl \
#     -v /path/to/log:/adbhoneypot/log \
#     -p 5555:5555 adbhoneypot
#
CMD ["adbhoneypot", "run"]
