FROM alpine:3.15.5

ARG UNBOUND_VERSION=1.16.1

# Install dependencies and build unbound (and install bind-tools for dig in healthcheck), clean up after
RUN apk --update add --no-cache alpine-sdk bind-tools dns-root-hints expat-dev git openssl-dev && \
    # Clone tag and build unbound source (https://github.com/NLnetLabs/unbound)
    git clone --depth 1 --branch "release-${UNBOUND_VERSION}" https://github.com/NLnetLabs/unbound.git /tmp/unbound && \
    cd /tmp/unbound && \
    ./configure && \
    make && \
    make install && \
    # Cleanup build tools
    make clean && \
    rm -rf /tmp/* && \
    apk del alpine-sdk expat-dev git openssl-dev

# Prepare image
COPY entrypoint.sh /
RUN addgroup -S unbound
RUN adduser -S -G unbound unbound
RUN mkdir -p /srv/unbound/conf
COPY unbound.conf /srv/unbound/unbound.conf

HEALTHCHECK --interval=60s --timeout=3s --retries=2 CMD dig ns1.gkcld.net @127.0.0.1 +dnssec || exit 1
ENTRYPOINT ["sh", "/entrypoint.sh"]