# syntax=dhi.io/build:2-alpine3.23

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
  packages:
    - redis
    - ca-certificates

accounts:
  groups:
    - gid: 65532
      name: redis
  users:
    - uid: 65532
      gid: 65532
      name: redis
  run-as: redis

work-dir: /data

paths:
  - path: /data
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0700

environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

entrypoint:
  - /usr/bin/redis-server
  - --protected-mode
  - "no"
  - --dir
  - /data

annotations:
  org.opencontainers.image.title: "hardened-redis"
  org.opencontainers.image.description: "Minimal Redis image stripped of critical shells to maximize defense-in-depth"