FROM rust:1.83-alpine AS builder
WORKDIR /app

# Dépendances de build
RUN apk add --no-cache musl-dev openssl-dev pkgconfig

# Préparer le cache
COPY Cargo.toml Cargo.lock ./
COPY src ./src

# Build en release
RUN cargo build --release

# Image runtime minimale
FROM alpine:3.19 AS runtime
WORKDIR /home/bitcoin

# Utilisateur non-root
RUN adduser -D relay && \
    mkdir -p /home/bitcoin/.4nk && chown -R relay:relay /home/bitcoin

# Certificats et fuseaux (logs lisibles) minimal
RUN apk add --no-cache ca-certificates tzdata && update-ca-certificates

# Copier le binaire
COPY --from=builder /app/target/release/sdk_relay /usr/local/bin/sdk_relay

EXPOSE 8090 8091
USER relay

ENV RUST_LOG=info

# Le service lit la conf depuis "/home/bitcoin/.conf" (montée par docker-compose)
CMD ["/usr/local/bin/sdk_relay"]