# Multi-stage build for optimized Rust binary
FROM rust:1.92-slim AS builder
# Install build dependencies (perl needed for vendored OpenSSL build)
RUN apt-get update && apt-get install -y \
pkg-config \
ca-certificates \
perl \
make \
gcc \
&& rm -rf /var/lib/apt/lists/*
# Create app directory
WORKDIR /app
# Copy manifests
COPY Cargo.toml Cargo.lock ./
# Create a dummy src directory to cache dependencies
RUN mkdir src && echo "fn main() {}" > src/main.rs
# Build dependencies only (this layer will be cached unless Cargo.toml changes)
RUN cargo build --release && rm -rf src
# Copy source code
COPY src ./src
# Build the actual application
RUN touch src/main.rs && cargo build --release
# Runtime stage - Debian 13 (Trixie)
FROM debian:trixie-slim
# Install runtime dependencies (no OpenSSL needed due to vendored feature)
RUN apt-get update && apt-get install -y \
ca-certificates \
curl \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user for security
RUN useradd -m -u 1000 appuser
WORKDIR /app
# Copy the binary from builder stage
COPY --from=builder /app/target/release/restic-123pan /app/restic-123pan
# Change ownership to non-root user
RUN chown -R appuser:appuser /app
# Switch to non-root user
USER appuser
# Expose the default port
EXPOSE 8000
# Health check (HEAD request to /config endpoint)
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f -I http://localhost:8000/config || exit 1
# Run the application
ENTRYPOINT ["/app/restic-123pan"]