# Homelab MCP Servers - Docker Container
# Packages Docker and Ping MCP servers for easy distribution
# https://github.com/bjeans/homelab-mcp
# https://hub.docker.com/r/bjeans/homelab-mcp

# === Builder Stage ===
FROM python:3.14-alpine AS builder

# Install build dependencies (temporary, will be removed in runtime stage)
RUN apk add --no-cache --virtual .build-deps \
    gcc \
    musl-dev \
    python3-dev \
    libffi-dev \
    openssl-dev \
    yaml-dev

# Copy requirements
COPY requirements.txt .

# Upgrade pip to 25.3+ (mitigates CVE-2025-8869: pip tarfile link following vulnerability)
RUN pip install --no-cache-dir --upgrade "pip>=25.3"

# Install Python dependencies into /install directory
RUN pip install --no-cache-dir --target=/install -r requirements.txt

# === Runtime Stage ===
FROM python:3.14-alpine

# Metadata
LABEL maintainer="Barnaby Jeans <barnaby@bjeans.dev>"
LABEL description="MCP servers for homelab infrastructure management"
LABEL org.opencontainers.image.source="https://github.com/bjeans/homelab-mcp"
LABEL org.opencontainers.image.licenses="MIT"

# Install runtime dependencies (requires root privileges)
RUN apk add --no-cache \
    bash \
    iputils-ping \
    procps-ng \
    libffi

# Upgrade pip to 25.3+ (mitigates CVE-2025-8869: pip tarfile link following vulnerability)
RUN pip install --no-cache-dir --upgrade "pip>=25.3"

# Create non-root user for security (now bash is available)
RUN adduser -D -u 1000 -s /bin/bash mcpuser && \
    mkdir -p /config /app && \
    chown -R mcpuser:mcpuser /app /config

# Set working directory
WORKDIR /app

# Copy Python packages from builder
COPY --from=builder /install /usr/local/lib/python3.14/site-packages

# Copy requirements for reference
COPY --chown=mcpuser:mcpuser requirements.txt .

# Copy MCP server files
COPY --chown=mcpuser:mcpuser ansible_config_manager.py .
COPY --chown=mcpuser:mcpuser ansible_mcp_server.py .
COPY --chown=mcpuser:mcpuser homelab_unified_mcp.py .
COPY --chown=mcpuser:mcpuser docker_mcp_podman.py .
COPY --chown=mcpuser:mcpuser ping_mcp_server.py .
COPY --chown=mcpuser:mcpuser ollama_mcp.py .
COPY --chown=mcpuser:mcpuser pihole_mcp.py .
COPY --chown=mcpuser:mcpuser unifi_mcp_optimized.py .
# COPY --chown=mcpuser:mcpuser mcp_registry_inspector.py .
COPY --chown=mcpuser:mcpuser unifi_exporter.py .
COPY --chown=mcpuser:mcpuser mcp_config_loader.py .
COPY --chown=mcpuser:mcpuser mcp_error_handler.py .
COPY --chown=mcpuser:mcpuser ups_mcp_server.py .

# Copy entrypoint script
COPY --chown=mcpuser:mcpuser docker-entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

# Switch to non-root user
USER mcpuser

# Environment variables with defaults
ENV PYTHONUNBUFFERED=1 \
    # ENABLED_SERVERS=docker,ping \
    ANSIBLE_INVENTORY_PATH=/config/ansible_hosts.yml 

# Expose stdio for MCP communication
# MCP servers communicate over stdin/stdout, no ports needed

# Health check (checks if Python process is running)
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD pgrep -f "python.*mcp" || exit 1

# Set entrypoint
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
