feat(deploy): add docker

deploy/docker/Dockerfile

@@ -0,0 +1,51 @@
+FROM rust:1.91-slim-bookworm AS builder
+WORKDIR /usr/src/app
+
+# 官方 Rust 镜像中 CARGO_HOME = /usr/local/cargo
+RUN echo '[source.crates-io]' > $CARGO_HOME/config.toml \
+    && echo 'replace-with = "rsproxy-sparse"' >> $CARGO_HOME/config.toml \
+    && echo '[source.rsproxy]' >> $CARGO_HOME/config.toml \
+    && echo 'registry = "https://rsproxy.cn/crates.io-index"' >> $CARGO_HOME/config.toml \
+    && echo '[source.rsproxy-sparse]' >> $CARGO_HOME/config.toml \
+    && echo 'registry = "sparse+https://rsproxy.cn/index/"' >> $CARGO_HOME/config.toml \
+    && echo '[registries.rsproxy]' >> $CARGO_HOME/config.toml \
+    && echo 'index = "https://rsproxy.cn/crates.io-index"' >> $CARGO_HOME/config.toml
+
+# 验证一下文件是否真的存在（构建时会在 log 打印出来，让你放心）
+RUN cat $CARGO_HOME/config.toml
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates pkg-config libssl-dev git openssh-client \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY Cargo.toml Cargo.lock ./
+COPY .cargo ./.cargo
+RUN mkdir -p src && echo "fn main() {}" > src/main.rs
+RUN cargo build --release --locked
+
+COPY src ./src
+COPY docs ./docs
+RUN touch src/main.rs
+RUN cargo build --release --locked
+
+FROM debian:bookworm-slim AS runner
+WORKDIR /app
+
+RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list.d/debian.sources \
+    && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list.d/debian.sources
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates libssl3 \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 10001 iam \
+  && useradd --system --uid 10001 --gid 10001 --no-create-home --shell /usr/sbin/nologin iam \
+  && mkdir -p /app/log /app/data \
+  && chown -R iam:iam /app/log
+
+ENV PORT=5020
+EXPOSE 5020
+
+COPY --from=builder /usr/src/app/target/release/iam-service /app/iam-service
+USER iam
+CMD ["/app/iam-service"]