FROM postgres:17.5-alpine3.22

# Add metadata labels
LABEL maintainer="hads@nice.nz" \
    description="PostgreSQL backup container for S3-compatible storage" \
    version="1.0"

# Install packages, create user, and setup directories in a single layer
RUN apk update && apk upgrade --no-cache \
    && apk add --no-cache \
    bash \
    curl \
    gzip \
    rclone \
    && rm -rf /var/cache/apk/* \
    && addgroup -g 1000 backup \
    && adduser -D -u 1000 -G backup backup \
    && mkdir -p /backups \
    && chown backup:backup /backups

# Copy backup script with correct ownership
COPY --chown=backup:backup backup.sh /usr/local/bin/backup.sh

# Make script executable
RUN chmod +x /usr/local/bin/backup.sh

# Switch to non-root user
USER backup

# Set working directory
WORKDIR /backups

# Add health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD pgrep -f backup.sh > /dev/null || exit 1

# Use exec form for better signal handling
CMD ["/usr/local/bin/backup.sh"]