[#31] Release is now rootless (rip caching)

.dockerignore

@@ -9,3 +9,6 @@
 
 # Entrypoint for devop container
 !docker/entrypoint_dev.sh
+
+# Config file
+!Rocket.toml

docker/Dockerfile.rel

@@ -6,22 +6,42 @@ FROM chewingbever/fej-builder:latest AS builder
 # https://users.rust-lang.org/t/sigsegv-with-program-linked-against-openssl-in-an-alpine-container/52172
 # TODO add what these flags do & why they work
 # NOTE: cargo install auto-appends bin to the path
-RUN --mount=type=cache,target=/usr/src/app/target \
-    --mount=type=cache,target=/root/.cargo/registry \
-    cargo install \
-        --path . \
-        --root /usr/local \
-        --target x86_64-unknown-linux-musl
+
+# RUN --mount=type=cache,mode=0777,target=/app/target \
+#     --mount=type=cache,mode=0777,target=/app/.cargo/registry \
+
+# Buildkit cache mounts really don't like it when you're not root,
+# so I guess we're building release without a cache for now
+RUN cargo install \
+    --path . \
+    --root /app/output \
+    --target x86_64-unknown-linux-musl
 
 
 # Now, we create the actual image
 FROM alpine:latest
 
 # Install some dynamic libraries needed for everything to work
-RUN apk update && apk add --no-cache openssl libgcc curl
+# Create -non-root user
+RUN apk update && \
+    apk add --no-cache \
+        curl \
+        libgcc \
+        libpq \
+        openssl && \
+    addgroup -S fej && \
+    adduser -S fej -G fej -h /app
+
+# Switch to non-root user
+USER fej:fej
 
 # Copy binary over to final image
-COPY --from=builder /usr/local/bin/server /usr/local/bin/server
+COPY --from=builder --chown=fej:fej /app/output/bin /app/bin
+
+# Embed config file inside container
+# The workdir is changed so that the config file is read properly
+WORKDIR /app
+COPY --chown=fej:fej Rocket.toml /app/Rocket.toml
 
 HEALTHCHECK \
     --interval=10s \
@@ -30,4 +50,4 @@ HEALTHCHECK \
     --retries=3 \
     CMD curl -q localhost:8000
 
-CMD ["/usr/local/bin/server"]
+CMD ["/app/bin/server"]