# Multi-stage: webapp build (Next.js), Python builder, runtime.
# Single image for both dev and prod; Compose files differentiate behavior.

# --- Stage 1: webapp build (Next.js static export) ---
FROM node:20-slim AS webapp-builder
WORKDIR /webapp
COPY webapp-next/package.json webapp-next/package-lock.json* ./
RUN npm ci
COPY webapp-next/ ./
RUN npm run build

# --- Stage 2: builder (Python dependencies only) ---
FROM python:3.12-slim AS builder
WORKDIR /app
COPY pyproject.toml ./
COPY duty_teller/ ./duty_teller/
RUN pip install --no-cache-dir .

# --- Stage 3: runtime (minimal final image) ---
FROM python:3.12-slim

WORKDIR /app

# Install gosu (drop privileges in entrypoint) and curl (for HEALTHCHECK)
RUN apt-get update && apt-get install -y --no-install-recommends gosu curl \
    && rm -rf /var/lib/apt/lists/*

# Copy installed packages and console scripts from builder (no requirements.txt, no pip layer)
COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Application code (duty_teller package + entrypoint, migrations, webapp)
ENV PYTHONPATH=/app
COPY main.py pyproject.toml entrypoint.sh ./
RUN chmod +x entrypoint.sh
COPY duty_teller/ ./duty_teller/
COPY alembic/ ./alembic/
COPY --from=webapp-builder /webapp/out ./webapp-next/out

# Create data dir; entrypoint runs as root, fixes perms for volume, then runs app as botuser
RUN adduser --disabled-password --gecos "" botuser \
    && mkdir -p /app/data && chown -R botuser:botuser /app

# Entrypoint runs as root: fix /app/data ownership (for volume mount), run migrations, then exec as botuser
ENTRYPOINT ["/bin/sh", "./entrypoint.sh"]
CMD ["python", "main.py"]

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD curl -f http://localhost:8080/health || exit 1