FROM ubuntu:26.04

RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        krb5-kdc \
        krb5-admin-server \
        krb5-config \
        libcap2-bin \
        tini && \
    rm -rf /var/lib/apt/lists/*

RUN groupadd -r krb5 && useradd -r -g krb5 -s /sbin/nologin krb5

# Allow binding to privileged ports without root
RUN setcap cap_net_bind_service=+ep /usr/sbin/krb5kdc && \
    setcap cap_net_bind_service=+ep /usr/sbin/kadmind

# Pre-create files the entrypoint writes to outside the volume
RUN mkdir -p /etc/krb5kdc && \
    touch /etc/krb5.conf && \
    chown -R krb5:krb5 /etc/krb5kdc /etc/krb5.conf /var/lib/krb5kdc

COPY --chown=krb5:krb5 entrypoint.sh /entrypoint

RUN chmod +x /entrypoint

USER krb5

EXPOSE 88/tcp 88/udp 464/tcp 464/udp 749/tcp

ENTRYPOINT ["tini", "--", "/entrypoint"]