# Production Dockerfile for WHOOSH Backend
FROM python:3.11-slim as builder

# Install build dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Create app user
RUN groupadd -r whoosh && useradd -r -g whoosh whoosh

WORKDIR /app

# Copy requirements and install dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir --user -r requirements.txt

# Production stage
FROM python:3.11-slim

# Install runtime dependencies including age encryption
RUN apt-get update && apt-get install -y \
    curl \
    git \
    postgresql-client \
    wget \
    && rm -rf /var/lib/apt/lists/*

# Install age encryption tools
RUN wget -O /tmp/age.tar.gz https://github.com/FiloSottile/age/releases/download/v1.1.1/age-v1.1.1-linux-amd64.tar.gz \
    && tar -xzf /tmp/age.tar.gz -C /tmp \
    && cp /tmp/age/age /usr/local/bin/age \
    && cp /tmp/age/age-keygen /usr/local/bin/age-keygen \
    && chmod +x /usr/local/bin/age /usr/local/bin/age-keygen \
    && rm -rf /tmp/age.tar.gz /tmp/age

# Create app user
RUN groupadd -r whoosh && useradd -r -g whoosh whoosh

WORKDIR /app

# Copy Python dependencies from builder
COPY --from=builder /root/.local /home/whoosh/.local

# Copy application code
COPY --chown=whoosh:whoosh . .

# Create necessary directories
RUN mkdir -p /app/logs /app/templates && \
    chown -R whoosh:whoosh /app

# Set environment variables
ENV PYTHONPATH=/app
ENV ENVIRONMENT=production
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV PATH=/home/whoosh/.local/bin:$PATH

# Switch to non-root user
USER whoosh

# Expose port
EXPOSE 8087

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:8087/health || exit 1

# Start command
CMD ["python", "-m", "uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8087", "--workers", "4"]