FROM python:3.11-slim

# Set working directory
WORKDIR /app

# Install system dependencies in a single layer and clean up
RUN apt-get update && apt-get install -y --no-install-recommends \
    sqlite3 curl gosu \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get clean

# Create user early
RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser

# Copy and install Python dependencies first (for better caching)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt \
  && pip cache purge

# Copy application files
COPY nfoguard.py .
COPY core/ ./core/
COPY clients/ ./clients/
COPY VERSION .

# Set permissions
RUN mkdir -p /app/data && chown -R appuser:appuser /app

# Root-aware entrypoint
RUN echo '#!/bin/bash' > /entrypoint.sh && \
    echo 'set -euo pipefail' >> /entrypoint.sh && \
    echo '' >> /entrypoint.sh && \
    echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \
    echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \
    echo '' >> /entrypoint.sh && \
    echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \
    echo '  # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \
    echo '  groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \
    echo '  id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \
    echo '  usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \
    echo '  chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \
    echo '  exec gosu appuser "$@"' >> /entrypoint.sh && \
    echo 'else' >> /entrypoint.sh && \
    echo '  # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \
    echo '  exec "$@"' >> /entrypoint.sh && \
    echo 'fi' >> /entrypoint.sh

RUN chmod +x /entrypoint.sh

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1

EXPOSE 8080
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "nfoguard.py"]

# Root-aware entrypoint
RUN echo '#!/bin/bash' > /entrypoint.sh && \
    echo 'set -euo pipefail' >> /entrypoint.sh && \
    echo '' >> /entrypoint.sh && \
    echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \
    echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \
    echo '' >> /entrypoint.sh && \
    echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \
    echo '  # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \
    echo '  groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \
    echo '  id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \
    echo '  usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \
    echo '  chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \
    echo '  exec gosu appuser "$@"' >> /entrypoint.sh && \
    echo 'else' >> /entrypoint.sh && \
    echo '  # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \
    echo '  exec "$@"' >> /entrypoint.sh && \
    echo 'fi' >> /entrypoint.sh
RUN chmod +x /entrypoint.sh

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1

EXPOSE 8080
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "nfoguard.py"]
