# syntax=dhi.io/build:2-alpine3.23

contents:
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
  packages:
    - postgresql16
    - postgresql16-client
    - ca-certificates
    - tzdata

accounts:
  groups:
    - gid: 65532
      name: postgres
  users:
    - uid: 65532
      gid: 65532
      name: postgres
  run-as: postgres

work-dir: /var/lib/postgresql

paths:
  - path: /var/lib/postgresql
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0700
  - path: /run/postgresql
    type: directory
    uid: 65532
    gid: 65532
    permissions: 0775

environment:
  PATH: /usr/lib/postgresql16/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  PGDATA: /var/lib/postgresql/data

entrypoint:
  - postgres
  - -D
  - /var/lib/postgresql/data

annotations:
  org.opencontainers.image.title: "hardened-postgres"
  org.opencontainers.image.description: "Minimal PostgreSQL 16 image stripped of shell utilities"