# SSH Tunnel Container for Oracle Database Connection
FROM alpine:3.18

# Install OpenSSH client and necessary tools
RUN apk add --no-cache \
    openssh-client \
    bash \
    curl \
    netcat-openbsd \
    && rm -rf /var/cache/apk/*

# Create non-root user
RUN addgroup -g 1001 -S tunnel && \
    adduser -S -D -H -u 1001 -s /bin/bash -G tunnel tunnel

# Create SSH directory
RUN mkdir -p /home/tunnel/.ssh && \
    chown -R tunnel:tunnel /home/tunnel

# Copy SSH key and set permissions (before switching to non-root user)
# For production deployment (Dokploy/Docker), the SSH key should be:
# 1. Placed in ssh-tunnel/secrets/roa_oracle_server before build, OR
# 2. Provided via BuildKit secrets (see DOKPLOY_DEPLOYMENT.md)
COPY secrets/roa_oracle_server /home/tunnel/.ssh/roa_oracle_server
RUN chown tunnel:tunnel /home/tunnel/.ssh/roa_oracle_server && \
    chmod 600 /home/tunnel/.ssh/roa_oracle_server

# Copy SSH tunnel script
COPY ssh_tunnel_docker.sh /usr/local/bin/ssh_tunnel.sh
RUN chmod +x /usr/local/bin/ssh_tunnel.sh

# Switch to non-root user
USER tunnel

# Health check - verify tunnel is working
HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \
    CMD nc -z localhost 1521 || exit 1

# Expose the tunneled port
EXPOSE 1521

# Start SSH tunnel
ENTRYPOINT ["/usr/local/bin/ssh_tunnel.sh"]