Whitelist-API/API/Dockerfile

# syntax=docker/dockerfile:1.4
FROM rust:1.73 as base


FROM base as test-builder
RUN rm -f /etc/apt/apt.conf.d/docker-clean
RUN --mount=type=cache,target="/var/cache/apt" \
    --mount=type=cache,target="/usr/local/cargo/registry" \
    apt-get update && \
    apt-get -y install postgresql libpq5 --no-install-recommends && \
    apt-get update && \
    cargo install sqlx-cli --version="^0.5" --features="postgres" && \
    cargo install cargo-tarpaulin cargo-audit && \
    rustup component add clippy rustfmt && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*


FROM base AS prod-builder
WORKDIR /app
COPY ./ .
# Make sqlx use saved metadata instead of querying a live database
ENV SQLX_OFFLINE=true

# Our user argument for unprivileged use
ENV USER=api
ENV UID=10001
ENV APP_ENVIRONMENT=production
RUN --mount=type=cache,target="/usr/local/cargo/registry" \
    --mount=type=cache,sharing=private,target="/app/target" \
    adduser \
    --disabled-password \
    --gecos "" \
    --home "/nonexistent" \
    --shell "/sbin/nologin" \
    --no-create-home \
    --uid "${UID}" \
    "${USER}" && \
    cargo build --release && \
    cp target/release/api ./release-executable


FROM debian:buster-slim as prod
WORKDIR /app
# Synchronize users
ENV APP_ENVIRONMENT=production
COPY --from=prod-builder /etc/passwd /etc/passwd
COPY --from=prod-builder /etc/group /etc/group

# Copy the build over
COPY --from=prod-builder /app/configuration/ ./configuration/
COPY --from=prod-builder /app/.env ./.env
COPY --from=prod-builder /app/release-executable ./api

RUN --mount=type=cache,target="/var/cache/apt" \
    apt-get update -y && \
    apt-get install -y --no-install-recommends openssl ca-certificates && \
    apt-get autoremove -y && \
    apt-get clean -y && \
    rm -rf /var/lib/apt/lists/*

# Use our unprivileged user
USER api:api

ENTRYPOINT ["/app/api"]