FROM python:3.12-slim

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

WORKDIR /app

RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates \
  && rm -rf /var/lib/apt/lists/*

COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt

COPY server.py ./
COPY templates ./templates
COPY static ./static

RUN useradd -m appuser

# Ensure the mounted volume path is writable by the non-root user.
# (docker named volumes are typically owned by root by default)
RUN mkdir -p /data && chown -R appuser:appuser /data

USER appuser

EXPOSE 8000

CMD ["gunicorn", "-b", "0.0.0.0:8000", "server:app", "--workers", "2", "--threads", "4", "--access-logfile", "-", "--error-logfile", "-"]