# FreeIPA server container image (Fedora / systemd-based)
#
# Build:
#   docker build -t freeipa-server .
#
# Run (quick test):
#   docker run --privileged --name freeipa \
#     --tmpfs /run --tmpfs /tmp \
#     -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
#     -v freeipa-data:/data \
#     -h ipa.example.com \
#     -e IPA_DOMAIN=example.com \
#     -e IPA_ADMIN_PASSWORD=Secret123 \
#     -e IPA_DM_PASSWORD=Secret456 \
#     -p 443:443 -p 389:389 -p 636:636 -p 88:88 \
#     freeipa-server
#
# For production use docker-compose.yml instead.

FROM fedora:41

ENV container=docker \
    LANG=en_US.UTF-8 \
    LC_ALL=en_US.UTF-8

RUN dnf install -y --setopt=install_weak_deps=False \
        freeipa-server \
        freeipa-server-dns \
        freeipa-server-trust-ad \
        freeipa-admintools \
        ansible-core \
        python3-netaddr \
        openldap-clients \
        krb5-workstation \
        bind-utils \
        procps-ng \
        net-tools \
        rsync \
        hostname \
    && dnf clean all \
    && rm -rf /var/cache/dnf

# Mask units that either require host-level access or are irrelevant in containers
RUN systemctl mask \
    systemd-remount-fs.service \
    dev-hugepages.mount \
    sys-fs-fuse-connections.mount \
    systemd-logind.service \
    getty.target \
    console-getty.service \
    dnf-makecache.timer \
    plymouth-quit-wait.service \
    plymouth-start.service \
    network.service \
    NetworkManager.service

COPY ipa-first-boot.sh      /usr/local/sbin/ipa-first-boot.sh
COPY ipa-first-boot.service /etc/systemd/system/ipa-first-boot.service
RUN chmod +x /usr/local/sbin/ipa-first-boot.sh \
    && systemctl enable ipa-first-boot.service

VOLUME ["/data"]

# LDAP, LDAPS, Kerberos, kpasswd, HTTPS, DNS, NTP
EXPOSE 389 636 88/tcp 88/udp 464/tcp 464/udp 443 80 53/tcp 53/udp 123/udp

STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]
