Dockerfile.agent

# =============================================================================
# usulnet Agent - Lightweight Docker management agent
# Connects to master via NATS, executes Docker commands on remote hosts
# Optimized multi-stage production build
# =============================================================================

# Default BUILDPLATFORM for non-buildx environments (legacy Docker build)
ARG BUILDPLATFORM=linux/amd64

# Stage 1: Build Go binary
# --platform=$BUILDPLATFORM: run Go compiler natively (fast), cross-compile via GOARCH
FROM --platform=$BUILDPLATFORM golang:1.25.7-alpine AS builder

ARG TARGETARCH
ARG TARGETOS=linux

RUN apk add --no-cache git ca-certificates tzdata

# Install templ CLI (required for compilation even if agent doesn't use templates)
RUN go install github.com/a-h/templ/cmd/templ@v0.3.977

WORKDIR /build

# Copy dependency files first for caching
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Generate templ files (needed for shared packages to compile)
RUN templ generate

# Tidy modules
RUN go mod tidy

# Build the agent binary with optimizations
ARG VERSION=dev
ARG COMMIT=unknown
ARG BUILD_TIME=unknown

RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
    -trimpath \
    -ldflags="-w -s \
        -X main.Version=${VERSION} \
        -X main.Commit=${COMMIT} \
        -X main.BuildDate=${BUILD_TIME}" \
    -o usulnet-agent \
    ./cmd/usulnet-agent

# =============================================================================
# Stage 2: Runtime image (minimal - no frontend, no editor)
# =============================================================================
FROM alpine:3.21

ARG VERSION=dev

# OCI image metadata labels
LABEL org.opencontainers.image.title="usulnet-agent" \
      org.opencontainers.image.description="usulnet Docker Management Agent" \
      org.opencontainers.image.url="https://github.com/fr4nsys/usulnet" \
      org.opencontainers.image.source="https://github.com/fr4nsys/usulnet" \
      org.opencontainers.image.vendor="usulnet" \
      org.opencontainers.image.version="${VERSION}" \
      org.opencontainers.image.licenses="AGPL-3.0"

RUN apk add --no-cache ca-certificates tzdata curl su-exec && \
    rm -rf /var/cache/apk/*

# Create non-root user
RUN addgroup -g 1000 usulnet && \
    adduser -u 1000 -G usulnet -s /bin/sh -D usulnet

RUN mkdir -p /app/data /app/config /app/certs && \
    chown -R usulnet:usulnet /app

WORKDIR /app

# Copy agent binary with proper ownership
COPY --from=builder --chown=usulnet:usulnet /build/usulnet-agent /app/usulnet-agent

# Pre-generate shell tab-completion scripts so operators can `docker cp`
# them out without running the binary on the host. Cobra's completion
# subcommand produces shell-portable scripts; we bake one per shell.
# Runs on TARGETPLATFORM (no --platform on this stage) so the cross-
# compiled binary executes natively.
RUN mkdir -p /app/completions/bash /app/completions/zsh \
             /app/completions/fish /app/completions/powershell && \
    /app/usulnet-agent completion bash       > /app/completions/bash/usulnet-agent && \
    /app/usulnet-agent completion zsh        > /app/completions/zsh/_usulnet-agent && \
    /app/usulnet-agent completion fish       > /app/completions/fish/usulnet-agent.fish && \
    /app/usulnet-agent completion powershell > /app/completions/powershell/usulnet-agent.ps1 && \
    chown -R usulnet:usulnet /app/completions

# Agent entrypoint
COPY docker-entrypoint.agent.sh /app/docker-entrypoint.agent.sh
RUN chmod +x /app/docker-entrypoint.agent.sh

EXPOSE 0

HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \
    CMD test -f /app/data/agent.pid || exit 1

ENTRYPOINT ["/app/docker-entrypoint.agent.sh"]
CMD ["/app/usulnet-agent", "--config", "/app/config/agent.yaml"]