quicproquo/docker/Dockerfile

# ── Stage 1: Builder ──────────────────────────────────────────────────────────
#
# Uses the official Rust image on Debian Bookworm.
# capnproto is installed here because build.rs invokes `capnp` at compile time.
FROM rust:bookworm AS builder

RUN apt-get update \
    && apt-get install -y --no-install-recommends capnproto \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /build

# Copy manifests first so dependency layers are cached independently of source.
COPY Cargo.toml Cargo.lock ./
COPY crates/quicnprotochat-core/Cargo.toml   crates/quicnprotochat-core/Cargo.toml
COPY crates/quicnprotochat-proto/Cargo.toml  crates/quicnprotochat-proto/Cargo.toml
COPY crates/quicnprotochat-server/Cargo.toml crates/quicnprotochat-server/Cargo.toml
COPY crates/quicnprotochat-client/Cargo.toml crates/quicnprotochat-client/Cargo.toml

# Create dummy source files so `cargo build` can resolve the dependency graph
# and cache the compiled dependencies before copying real source.
RUN mkdir -p \
        crates/quicnprotochat-core/src \
        crates/quicnprotochat-proto/src \
        crates/quicnprotochat-server/src \
        crates/quicnprotochat-client/src \
    && echo 'fn main() {}' > crates/quicnprotochat-server/src/main.rs \
    && echo 'fn main() {}' > crates/quicnprotochat-client/src/main.rs \
    && touch crates/quicnprotochat-core/src/lib.rs \
    && touch crates/quicnprotochat-proto/src/lib.rs

# Schemas must exist before the proto crate's build.rs runs.
COPY schemas/ schemas/

# Build dependencies only (source stubs mean this layer is cache-friendly).
RUN cargo build --release --bin quicnprotochat-server 2>/dev/null || true

# Copy real source and build for real.
COPY crates/ crates/

# Touch main.rs files to force re-compilation of the binary crates.
RUN touch \
        crates/quicnprotochat-core/src/lib.rs \
        crates/quicnprotochat-proto/src/lib.rs \
        crates/quicnprotochat-server/src/main.rs \
        crates/quicnprotochat-client/src/main.rs

RUN cargo build --release --bin quicnprotochat-server

# ── Stage 2: Runtime ──────────────────────────────────────────────────────────
#
# Minimal Debian Bookworm image — no Rust toolchain, no capnp compiler.
FROM debian:bookworm-slim AS runtime

# ca-certificates is included so future HTTPS calls (e.g. from M6 key sync)
# work without further changes to this stage.
RUN apt-get update \
    && apt-get install -y --no-install-recommends ca-certificates \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /build/target/release/quicnprotochat-server /usr/local/bin/quicnprotochat-server

EXPOSE 7000

ENV RUST_LOG=info \
    QUICNPROTOCHAT_LISTEN=0.0.0.0:7000

# Run as a non-root user.
USER nobody

CMD ["quicnprotochat-server"]