# nbdmux container -- bundles the daemon + nbd-server + minimal Python.
#
# Build:  podman build -t ghcr.io/safl/nbdmux:dev -f deploy/Containerfile .
# Run:    see deploy/compose.yml for the production shape.
#
# Two ports:
#   8082   HTTP control plane + operator UI
#  10809   NBD (nbd-server)

FROM debian:trixie-slim

RUN apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        nbd-server \
        python3 \
        python3-pip \
        ca-certificates \
        curl \
        gzip \
        zstd \
        xz-utils \
 && rm -rf /var/lib/apt/lists/*

# curl: HEALTHCHECK below. curl's ``-f`` treats any 4xx/5xx as a
# non-zero exit without dumping a Python Traceback into
# ``podman logs`` on every probe when /healthz returns 503
# (nbd-server down). The Python-in-CMD alternative worked but
# spammed the logs on every failed probe.

# gzip / zstd / xz-utils: the Warmer pipeline (v0.2.0+) pipes
# upstream bytes through ``gunzip -c`` / ``zstd -d -c`` / ``xz -d -c``
# while streaming into the decompressed .img on disk. gzip ships
# baseline on trixie-slim but we pin it for clarity.

WORKDIR /app
COPY pyproject.toml README.md LICENSE /app/
COPY src/ /app/src/
RUN pip install --break-system-packages --no-cache-dir .

# Persistent state lives under /data. The compose stack binds this to a
# named volume so a container rebuild keeps registered exports.
ENV NBDMUX_DATA_DIR=/data
VOLUME ["/data"]

# Image files we serve as NBD exports live under /images (a read-only
# bind from the host that holds the actual .img bytes). This is just
# the convention; the daemon will serve any absolute path the operator
# registers.
VOLUME ["/images"]

EXPOSE 8082 10809

HEALTHCHECK --interval=15s --timeout=3s --start-period=5s \
    CMD curl -fsS -o /dev/null --max-time 2 http://localhost:8082/healthz || exit 1

ENTRYPOINT ["nbdmux-server"]
CMD ["--data-dir", "/data", "--port", "8082", "--nbd-port", "10809"]
