# syntax=docker/dockerfile:1

# ---------------------------------------------------------------------------
# Build stage: install siphoney and its dependencies.
# The -dev variant has pip and build tools; the runtime variant does not.
# ---------------------------------------------------------------------------
FROM dhi.io/python:3-dev AS builder

ARG VERSION
ARG PLUGINS=all

# Install siphoney (and selected plugin dependencies) into a prefix that
# we can copy wholesale into the runtime stage.
RUN pip install --prefix=/install --prefer-binary \
    "siphoney==${VERSION}${PLUGINS:+[${PLUGINS}]}"

# ---------------------------------------------------------------------------
# Runtime stage: minimal hardened image, no shell, no package manager.
#
# SECURITY NOTE: Running this container requires the host user to be a member
# of the 'docker' group, which grants effective root access on the host.
# This negates the benefit of running the honeypot as a restricted user.
# Consider using Podman instead, which does not require privileged access:
#   https://podman.io/
# ---------------------------------------------------------------------------
FROM dhi.io/python:3

ARG VERSION
LABEL maintainer="Bontchev"
LABEL name="siphoney"
LABEL version="${VERSION}"

# Copy the installed packages from the build stage
COPY --from=builder /install /usr/local

# Run as a non-root user inside the container.
# Note: this does not mitigate the host-level docker group privilege issue
# described above, but it limits post-exploitation options inside the container.
RUN useradd --no-create-home --shell /bin/false siphoney

EXPOSE 5060/udp

# Scaffold the working directory and hand ownership to the non-root user.
WORKDIR /siphoney
RUN siphoney init && chown -R siphoney:siphoney /siphoney

USER siphoney

# Mount your honeypot.cfg and GeoLite2 databases at runtime, e.g.:
#
#   docker run \
#     -v /path/to/honeypot.cfg:/siphoney/etc/honeypot.cfg \
#     -v /path/to/data:/siphoney/data \
#     -p 5060:5060/udp siphoney
#
CMD ["siphoney", "run"]
