FROM python:3.12-slim

WORKDIR /app

# System-Dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    ffmpeg \
    && rm -rf /var/lib/apt/lists/*

# Non-root User für Container-Hardening
# (Synology DSM-Volumes haben ACLs — daher chown auf /data + /app)
RUN groupadd -r appuser -g 1000 && \
    useradd -r -u 1000 -g appuser -d /app -s /sbin/nologin appuser

# Python-Dependencies zuerst (Docker Layer Cache)
COPY backend/requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# App-Code
COPY backend/ .

# Zentrale Version (wird von main.py beim Startup gelesen)
COPY VERSION /app/VERSION

# Media-Verzeichnis + Permissions
RUN mkdir -p /data/media/dogs /data/media/diary /data/media/poison \
             /data/media/breeds/gallery /data/media/breeds/submissions && \
    chown -R appuser:appuser /app /data

USER appuser

EXPOSE 8000

CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--proxy-headers", "--forwarded-allow-ips=*"]