# KNEL-Football ISO Builder - Dockerfile
# Multi-stage build for security hardening and reproducible builds
# Copyright © 2026 Known Element Enterprises LLC
# License: GNU Affero General Public License v3.0 only

# Base stage - minimal Debian 13 base
FROM debian:13.3-slim AS base

# Set environment variables for non-interactive installation
ENV DEBIAN_FRONTEND=noninteractive
ENV LANG=C.UTF-8
ENV LC_ALL=C
ENV TZ=UTC

# Install base dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    gnupg \
    curl \
    wget \
    git \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Builder stage - ISO build tools
FROM base AS builder

# Install live-build and ISO creation tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    live-build \
    debootstrap \
    squashfs-tools \
    xorriso \
    grub-pc-bin \
    grub-efi-amd64-bin \
    grub-efi-ia32-bin \
    mtools \
    dosfstools \
    syslinux-utils \
    isolinux \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Install testing framework
RUN apt-get update && apt-get install -y --no-install-recommends \
    bats \
    bats-assert \
    bats-support \
    bats-file \
    shellcheck \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Install security and system tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    nftables \
    iptables \
    auditd \
    rsyslog \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Create workspace directories
RUN mkdir -p /workspace /build /tmp /output

# Create non-root user for running builds
RUN groupadd -r builder && useradd -r -g builder builder \
    && mkdir -p /home/builder \
    && chown -R builder:builder /workspace /build /tmp /output /home/builder

# Set working directory
WORKDIR /workspace

# Switch to non-root user
USER builder

# Default command
CMD ["/bin/bash"]