Dockerfile

# Building...

FROM golang:alpine as server-builder

RUN apk update && apk add --no-cache git ca-certificates tzdata libcap mailcap && update-ca-certificates && rm -rf /var/cache/apk/*

# Create appuser
ENV USER=appuser
ENV UID=1000
# See https://stackoverflow.com/a/55757473/12429735
RUN adduser \
    --disabled-password \
    --gecos "" \
    --home "/nonexistent" \
    --shell "/sbin/nologin" \
    --no-create-home \
    --uid "${UID}" \
    "${USER}"

WORKDIR /app

ADD . .

RUN chown -Rf "${UID}" ./*

RUN go version
RUN go get -d -v && \
    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go test ./...

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
    -ldflags='-w -s -extldflags "-static"' -a \
    -o /app/server .

RUN setcap cap_net_bind_service=+ep /app/server

# Running...
FROM scratch

WORKDIR /app

COPY --from=server-builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=server-builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=server-builder /etc/passwd /etc/passwd
COPY --from=server-builder /etc/group /etc/group
COPY --from=server-builder /etc/mime.types /etc/mime.types

# Copy static executable and application resources
COPY --from=server-builder /app/server /app/server

# Use an unprivileged user.
USER appuser:appuser

ENTRYPOINT [ "./server"]