FROM docker.io/debian:bullseye-slim as builder

# see also https://github.com/creemama/docker-run-non-root

# Install su-exec (https://github.com/ncopa/su-exec/commit/dddd1567b7c76365e1e0aac561287975020a8fad).
ADD https://github.com/ncopa/su-exec/archive/dddd1567b7c76365e1e0aac561287975020a8fad.zip su-exec.zip
RUN apt-get update \
 && apt-get install --no-install-recommends -y \
      gcc \
      libc-dev \
      make \
      unzip \
 && rm -rf /var/lib/apt/lists/* \
 && unzip su-exec.zip \
 && cd su-exec-dddd1567b7c76365e1e0aac561287975020a8fad \
 && make \
 && mv su-exec /usr/local/bin \
 && cd .. \
 && rm -rf su-exec.zip su-exec-dddd1567b7c76365e1e0aac561287975020a8fad \
 && apt-get purge --auto-remove -y \
      gcc \
      libc-dev \
      make \
      unzip \
 && rm -rf /var/lib/apt/lists/*

# Install tini for run-non-root's --init option.
ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-static /usr/local/bin/tini
RUN chmod +rx /usr/local/bin/tini

# Install run-non-root.
ADD https://raw.githubusercontent.com/creemama/run-non-root/v1.5.1/run-non-root.sh /usr/local/bin/run-non-root
RUN chmod +rx /usr/local/bin/run-non-root

# Warn users if they are running as root.
# See the "Invoked with name sh" section of
# https://www.gnu.org/software/bash/manual/html_node/Bash-Startup-Files.html .
# See also https://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/etc.html .
ENV ENV=/etc/profile
RUN printf "%s" "if [ -f /.dockerenv ]; then if [ "\$\(whoami\)" = 'root' ] || [ \$(id -u) -eq 0 ]; then printf \"\n\033[1;31m%s\033[0m\n\n\" \"Error: running as root user not permitted\"; exit 1; fi; fi" \
        >> /etc/profile.d/verify-non-root.sh

# ---

FROM docker.io/debian:bullseye-slim

# add run-non-root:
COPY --from=builder /usr/local/bin/su-exec \
                    /usr/local/bin/tini \
                    /usr/local/bin/run-non-root \
                    /usr/local/bin/
# Error out if running as root.
ENV ENV=/etc/profile
COPY --from=builder /etc/profile.d/verify-non-root.sh /etc/profile.d/

RUN apt-get update \
  && apt-get -y install \
    curl \
    wget \
  && rm -rf /var/lib/apt/lists/*

# tools for compiling for the specific targets
RUN apt-get update \
  && apt-get -y install \
    build-essential \
  # necessary for the lightweight toolchain for compiling for windows
  # for rust x86_64-pc-windows-gnu target
    gcc-mingw-w64 \
  # tools for aarch64
    gcc-aarch64-linux-gnu \
  && rm -rf /var/lib/apt/lists/*

# tested with
# rustc version - 1.65.0
# cargo version - 1.65.0
# rustup version - 1.25.1

# tools installed:
# rustup, cargo, rustc
# toolchains installed:
# default stable
# targets installed:
# default + see commands below
# additional components: rust-src

# build tools
RUN ( curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain stable -y ) \
  && . ~/.cargo/env \
  && rustup default stable \
  && rustup target add x86_64-pc-windows-gnu \
  && rustup target add aarch64-unknown-linux-gnu \
  && rustup target add thumbv7m-none-eabi \
  && rustup target add thumbv7em-none-eabihf \
  && rustup component add rust-src

# the directory where the workingcopy will be mounted
WORKDIR /app
VOLUME /app

ENTRYPOINT ["/usr/local/bin/run-non-root", \
            "--init", \
            "--quiet", \
            "--"]
CMD ["/bin/bash"]