# utilisation-dept backend
# Decisions:
# - Use python:3.12-slim for small footprint with broad wheel availability.
# - Install tini in the image so PID 1 reaps zombies and forwards signals
#   (uvicorn + passlib bcrypt subprocesses behave better under tini).
# - Run as non-root `appuser`. /app/logs is chowned so the mounted volume
#   from docker-compose remains writable.
# - No HEALTHCHECK here — docker-compose.yml owns the healthcheck.

FROM python:3.12-slim AS base

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1

# tini for clean PID 1 behaviour; libffi/openssl already in slim base.
RUN apt-get update \
    && apt-get install -y --no-install-recommends tini \
    && rm -rf /var/lib/apt/lists/*

# Non-root user
RUN groupadd --system appuser \
    && useradd --system --gid appuser --home /app --shell /usr/sbin/nologin appuser

WORKDIR /app

# Install deps first for better layer caching.
COPY requirements.txt /app/requirements.txt
RUN pip install --no-cache-dir -r /app/requirements.txt

# Copy app code
COPY app /app/app

# Ensure logs dir exists and is writable by appuser (compose mounts a volume here).
RUN mkdir -p /app/logs && chown -R appuser:appuser /app

USER appuser

EXPOSE 8000

ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["uvicorn", "app.main:app", \
     "--host", "0.0.0.0", \
     "--port", "8000", \
     "--workers", "1", \
     "--proxy-headers", \
     "--forwarded-allow-ips=*"]
