# Small base with package manager; Debian is straightforward
FROM debian:bookworm-slim

# Install OpenSSH client and basic tools
RUN apt-get update && apt-get install -y --no-install-recommends \
      openssh-client ca-certificates curl \
    && rm -rf /var/lib/apt/lists/*

# Wrapper: copy key to an SSH location with 0600 perms, then exec ssh with args
RUN printf '%s\n' \
  '#!/bin/sh' \
  'set -eu' \
  'mkdir -p /root/.ssh' \
  '# If a key is mounted, install it with strict permissions' \
  'if [ -f /mnt/keys/tunnel_ed25519 ]; then' \
  '  install -m 600 /mnt/keys/tunnel_ed25519 /root/.ssh/id_ed25519' \
  'fi' \
  'exec ssh "$@"' \
  > /usr/local/bin/run-ssh && chmod +x /usr/local/bin/run-ssh

ENTRYPOINT ["/usr/local/bin/run-ssh"]