# Containerization Runbook

## Image Build

If the repo consumes internal packages from Gitea, pass feed credentials as build args.

```bash
docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-service:dev .
```

## Local Run

```bash
docker run --rm -p 8080:8080 \
  -e ThalosIdentity__Secrets__SessionSigning=<session-signing-secret> \
  -e ThalosIdentity__Secrets__Oidc__Google__ClientId=<google-client-id> \
  -e ThalosIdentity__Secrets__Oidc__Google__Issuer=https://accounts.google.com \
  --name thalos-service agilewebs/thalos-service:dev
```

## Health Probe

- Path: `/health`
- Fallback path: `/healthz`
- Port: `8080`

## Runtime Notes

- Exposes internal identity runtime endpoint set and gRPC service.
- Google OIDC claim validation requires `ThalosIdentity:Secrets:Oidc:Google:ClientId`.