Dockerfile.worker

# BitSage Obelysk Worker - TEE-enabled Docker Image
#
# This Dockerfile builds the BitSage worker for deployment in TEE environments (Intel TDX/SGX, AMD SEV-SNP).
# The MRENCLAVE measurement of this image must be whitelisted before workers can accept jobs.

FROM rust:1.75 as builder

WORKDIR /build

# Install dependencies
RUN apt-get update && apt-get install -y \
    libssl-dev \
    pkg-config \
    protobuf-compiler \
    && rm -rf /var/lib/apt/lists/*

# Copy workspace files
COPY Cargo.toml Cargo.lock ./
COPY rust-toolchain.toml ./

# Copy source code
COPY src ./src
COPY benches ./benches
COPY tests ./tests

# Build in release mode with TEE features enabled
RUN cargo build --release --bin sage-worker --features tee

# Runtime stage (smaller image)
FROM debian:bookworm-slim

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    ca-certificates \
    libssl3 \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN useradd -m -u 1000 sage && \
    mkdir -p /app/data && \
    chown -R sage:sage /app

WORKDIR /app

# Copy binary from builder
COPY --from=builder /build/target/release/sage-worker /app/sage-worker

# Set ownership
RUN chown sage:sage /app/sage-worker

# Switch to non-root user
USER sage

# Expose metrics port
EXPOSE 9090

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD ["/app/sage-worker", "--health-check"]

# Entry point
ENTRYPOINT ["/app/sage-worker"]

# Default command (can be overridden)
CMD ["--config", "/app/config/worker.toml"]

# Labels for metadata
LABEL org.opencontainers.image.title="BitSage Obelysk Worker"
LABEL org.opencontainers.image.description="TEE-enabled computation worker for BitSage Network"
LABEL org.opencontainers.image.vendor="BitSage Network"
LABEL org.opencontainers.image.version="1.0.0"
LABEL org.opencontainers.image.licenses="Apache-2.0"