FROM python:3.11-slim
WORKDIR /app

# deps (curl for healthcheck; gosu only needed when running as root)
RUN apt-get update && apt-get install -y --no-install-recommends \
    sqlite3 curl gosu \
  && rm -rf /var/lib/apt/lists/*

# Create a default appuser (will be ignored if process isn’t root)
RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy new modular structure
COPY nfoguard.py .
COPY core/ ./core/
COPY clients/ ./clients/
COPY VERSION .

RUN mkdir -p /app/data && chown -R appuser:appuser /app

# Root-aware entrypoint
RUN cat > /entrypoint.sh << 'EOF'
#!/bin/bash
set -euo pipefail

PUID=${PUID:-1000}
PGID=${PGID:-1000}

if [ "$(id -u)" -eq 0 ]; then
  # running as root: we can adjust IDs and drop privileges
  groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser
  id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser
  usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true
  chown -R "$PUID:$PGID" /app || true
  exec gosu appuser "$@"
else
  # not root (e.g., compose set user: 1000:1000) — just run
  exec "$@"
fi
EOF
RUN chmod +x /entrypoint.sh

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1

EXPOSE 8080
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "nfoguard.py"]
