FROM caddy:2-alpine

# Copy your static site into Caddy's default web root
COPY . /usr/share/caddy
# CIS: Install dependencies (curl for healthcheck, libcap for permissions)
RUN apk add --no-cache curl libcap \
    && setcap 'cap_net_bind_service=+ep' /usr/bin/caddy \
    && apk del libcap

# CIS: Set working directory
WORKDIR /usr/share/caddy

# CIS: Copy site content with ownership for the non-root user
COPY --chown=caddy:caddy . .

# CIS: Run as non-root user
USER caddy

# CIS: Add healthcheck
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:80/ || exit 1

EXPOSE 80