# H33 Xeon API - Production Docker Image
# Optimized for Intel Xeon with AVX-512

# Build stage
FROM rust:1.75-bookworm AS builder

# Install build dependencies
RUN apt-get update && apt-get install -y \
    cmake \
    clang \
    lld \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Copy manifests
COPY Cargo.toml Cargo.lock ./

# Create dummy source to cache dependencies
RUN mkdir src && \
    echo "fn main() {}" > src/main.rs && \
    echo "pub fn dummy() {}" > src/lib.rs

# Build dependencies (cached layer)
RUN cargo build --release

# Remove dummy source
RUN rm -rf src

# Copy actual source
COPY src ./src
COPY benches ./benches

# Build with optimizations
ENV RUSTFLAGS="-C target-cpu=native -C link-arg=-fuse-ld=lld"
RUN touch src/main.rs && cargo build --release

# Runtime stage
FROM debian:bookworm-slim

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    ca-certificates \
    libssl3 \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Copy binary
COPY --from=builder /app/target/release/h33-xeon-api /app/h33-xeon-api

# Create non-root user
RUN useradd -m -s /bin/bash h33 && \
    chown -R h33:h33 /app

USER h33

# Environment defaults
ENV BIND_ADDR=0.0.0.0:8080
ENV FHE_MODE=turbo
ENV MAX_CONNECTIONS=1000000
ENV WORKERS=0
ENV RUST_LOG=info

# Health check
HEALTHCHECK --interval=10s --timeout=3s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:8080/health || exit 1

EXPOSE 8080

ENTRYPOINT ["/app/h33-xeon-api"]
