# Alpine Unbound DNS Server - x86_64/AMD64 Edition
FROM --platform=linux/amd64 alpine:3.19

LABEL maintainer="homelab"
LABEL description="Lightweight Unbound DNS resolver for x86_64"
LABEL architecture="amd64"

# Set timezone (can be overridden at runtime)
ENV TZ=UTC

# Install only essential packages for Unbound DNS
RUN apk add --no-cache \
    # Core DNS
    unbound \
    # DNS utilities for debugging
    drill \
    bind-tools \
    # Basic networking tools
    curl \
    ca-certificates \
    # Timezone data
    tzdata \
    # Process management (lightweight alternative to supervisor)
    tini \
    && rm -rf /var/cache/apk/*

# Create necessary directories
RUN mkdir -p /etc/unbound/unbound.conf.d \
    /var/lib/unbound \
    /var/log/unbound \
    /config

# Download root hints for DNSSEC validation
RUN curl -sSL https://www.internic.net/domain/named.root -o /etc/unbound/root.hints

# Set proper permissions
RUN chown -R unbound:unbound /var/lib/unbound /var/log/unbound

# Copy default configuration
COPY unbound.conf /etc/unbound/unbound.conf

# Create healthcheck script
RUN echo '#!/bin/sh' > /usr/local/bin/healthcheck.sh && \
    echo 'drill @127.0.0.1 -p 5335 google.com > /dev/null 2>&1' >> /usr/local/bin/healthcheck.sh && \
    chmod +x /usr/local/bin/healthcheck.sh

# Expose DNS port
EXPOSE 5335/tcp 5335/udp

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD /usr/local/bin/healthcheck.sh

# Use tini as init system for proper signal handling
ENTRYPOINT ["/sbin/tini", "--"]

# Run unbound in foreground
CMD ["unbound", "-d", "-c", "/etc/unbound/unbound.conf"]