Dockerfile

# syntax=docker/dockerfile:1.4
FROM swift:6.0-jammy AS builder

ARG DEBIAN_FRONTEND=noninteractive
ARG UBUNTU_MIRROR=http://fr.archive.ubuntu.com/ubuntu
ARG UBUNTU_SECURITY_MIRROR=http://fr.archive.ubuntu.com/ubuntu
ARG WIRED_XML_UPDATE_IF_DIFFERENT=1
ARG WIRED_MARKETING_VERSION=3.0
ARG WIRED_BUILD_NUMBER=0
ARG WIRED_GIT_COMMIT=unknown
SHELL ["/bin/bash", "-lc"]

RUN set -euo pipefail; \
  sed -i \
    -e "s|http://archive.ubuntu.com/ubuntu|${UBUNTU_MIRROR}|g" \
    -e "s|https://archive.ubuntu.com/ubuntu|${UBUNTU_MIRROR}|g" \
    -e "s|http://security.ubuntu.com/ubuntu|${UBUNTU_SECURITY_MIRROR}|g" \
    -e "s|https://security.ubuntu.com/ubuntu|${UBUNTU_SECURITY_MIRROR}|g" \
    /etc/apt/sources.list; \
  apt-get -o Acquire::Retries=5 -o Acquire::http::Timeout=30 -o Acquire::https::Timeout=30 update; \
  apt-get -o Acquire::Retries=5 -o Acquire::http::Timeout=30 -o Acquire::https::Timeout=30 install -y --no-install-recommends \
    liblz4-dev \
    libsqlite3-dev \
    libssl-dev \
    zlib1g-dev; \
  rm -rf /var/lib/apt/lists/*

WORKDIR /src

# Cache-friendly copy of Swift manifests first.
COPY Package.swift Package.resolved ./
COPY Vendor ./Vendor

# Copy full sources once dependency resolution is cached.
COPY . .

RUN cat > /src/Sources/wired3/Core/Version.swift <<SWIFT
import Foundation

public enum WiredServerVersion {
    public static let marketingVersion = "${WIRED_MARKETING_VERSION}"
    public static let buildNumber = "${WIRED_BUILD_NUMBER}"
    public static let commit = "${WIRED_GIT_COMMIT}"
    public static let number = marketingVersion
    public static let display = "wired3 \\(marketingVersion) (\\(buildNumber)+\\(commit))"
}
SWIFT

RUN swift build -c release --product wired3 -Xswiftc -DGRDBCUSTOMSQLITE

RUN set -euo pipefail; \
  BIN_DIR="$(swift build -c release --show-bin-path)"; \
  BIN_PATH="$BIN_DIR/wired3"; \
  mkdir -p /out/usr/local/bin /out/usr/lib/wired3 /out/usr/share/wired3; \
  cp "$BIN_PATH" /out/usr/lib/wired3/wired3-bin; \
  chmod 0755 /out/usr/lib/wired3/wired3-bin; \
  mapfile -t SWIFT_DEPS < <(ldd "$BIN_PATH" | awk '/=> \// {print $3}' | grep '/swift/' | sort -u); \
  if [[ "${#SWIFT_DEPS[@]}" -eq 0 ]]; then \
    echo "No Swift runtime dependencies found in ldd output"; \
    ldd "$BIN_PATH" || true; \
    exit 1; \
  fi; \
  cp "${SWIFT_DEPS[@]}" /out/usr/lib/wired3/; \
  cp /src/Sources/WiredSwift/Resources/wired.xml /out/usr/share/wired3/wired.xml; \
  cp /src/Sources/wired3/banner.png /out/usr/share/wired3/banner.png; \
  cp /src/Sources/wired3/config.ini /out/usr/share/wired3/config.ini.example

FROM ubuntu:22.04 AS runtime

ARG DEBIAN_FRONTEND=noninteractive
ARG UBUNTU_MIRROR=http://fr.archive.ubuntu.com/ubuntu
ARG UBUNTU_SECURITY_MIRROR=http://fr.archive.ubuntu.com/ubuntu
SHELL ["/bin/bash", "-lc"]

RUN set -euo pipefail; \
  sed -i \
    -e "s|http://archive.ubuntu.com/ubuntu|${UBUNTU_MIRROR}|g" \
    -e "s|https://archive.ubuntu.com/ubuntu|${UBUNTU_MIRROR}|g" \
    -e "s|http://security.ubuntu.com/ubuntu|${UBUNTU_SECURITY_MIRROR}|g" \
    -e "s|https://security.ubuntu.com/ubuntu|${UBUNTU_SECURITY_MIRROR}|g" \
    /etc/apt/sources.list; \
  apt-get -o Acquire::Retries=5 -o Acquire::http::Timeout=30 -o Acquire::https::Timeout=30 update; \
  apt-get -o Acquire::Retries=5 -o Acquire::http::Timeout=30 -o Acquire::https::Timeout=30 install -y --no-install-recommends \
    ca-certificates \
    libcurl4 \
    liblz4-1 \
    libsqlite3-0 \
    libssl3 \
    libxml2 \
    tzdata \
    zlib1g; \
  rm -rf /var/lib/apt/lists/*

RUN groupadd --system wired3 \
  && useradd --system --gid wired3 --home-dir /var/lib/wired3 --create-home --shell /usr/sbin/nologin wired3 \
  && install -d -m 0750 -o wired3 -g wired3 /var/lib/wired3

COPY --from=builder /out/usr/lib/wired3 /usr/lib/wired3
COPY --from=builder /out/usr/share/wired3 /usr/share/wired3

RUN cat > /usr/local/bin/wired3 <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
export LD_LIBRARY_PATH="/usr/lib/wired3:${LD_LIBRARY_PATH:-}"
exec /usr/lib/wired3/wired3-bin "$@"
EOF

RUN cat > /usr/local/bin/docker-entrypoint.sh <<'EOF'
#!/usr/bin/env bash
set -euo pipefail

install -d -m 0750 /var/lib/wired3
install -d -m 0755 /var/lib/wired3/etc
install -d -m 0755 /var/lib/wired3/files

if [[ ! -f /var/lib/wired3/wired.xml ]]; then
  install -m 0640 /usr/share/wired3/wired.xml /var/lib/wired3/wired.xml
elif [[ "${WIRED_XML_UPDATE_IF_DIFFERENT:-1}" =~ ^(1|true|TRUE|yes|YES)$ ]] && ! cmp -s /usr/share/wired3/wired.xml /var/lib/wired3/wired.xml; then
  install -m 0640 /usr/share/wired3/wired.xml /var/lib/wired3/wired.xml
fi
if [[ ! -f /var/lib/wired3/banner.png ]]; then
  install -m 0644 /usr/share/wired3/banner.png /var/lib/wired3/banner.png
fi
if [[ ! -f /var/lib/wired3/etc/config.ini ]]; then
  install -m 0640 /usr/share/wired3/config.ini.example /var/lib/wired3/etc/config.ini
fi

# SECURITY (TOFU): wired-identity.key is generated by the server on first start
# and stored at /var/lib/wired3/wired-identity.key with permissions 0600.
# It MUST be persisted in the named volume to survive container restarts.
# If the file is regenerated (e.g. after a volume wipe), all TOFU clients
# will see a key-change warning on their next connection.
# The server enforces 0600 at write time; enforce it here too as a safety net.
if [[ -f /var/lib/wired3/wired-identity.key ]]; then
  chmod 0600 /var/lib/wired3/wired-identity.key
fi

exec /usr/local/bin/wired3 \
  --working-directory /var/lib/wired3 \
  --config /var/lib/wired3/etc/config.ini \
  --db /var/lib/wired3/wired3.db \
  --root /var/lib/wired3/files \
  --spec /var/lib/wired3/wired.xml \
  "$@"
EOF

RUN chmod 0755 /usr/local/bin/wired3 /usr/local/bin/docker-entrypoint.sh

ENV LD_LIBRARY_PATH=/usr/lib/wired3
ENV WIRED_XML_UPDATE_IF_DIFFERENT=${WIRED_XML_UPDATE_IF_DIFFERENT}
EXPOSE 4871
VOLUME ["/var/lib/wired3"]

USER wired3
WORKDIR /var/lib/wired3
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]