# withcache cache-host. Build context is the repo root:
#   podman build -f deploy/Containerfile -t withcache .
# (deploy/compose.yml sets the context for you.)
FROM python:3.12-slim

# Install the package (no third-party deps) to get the withcache-server command.
# hatch_build.py is the wheel build hook (ships the shims); without it the build
# fails. No zig in this image, so the shims install as Python launchers, which
# is fine -- the container only runs withcache-server.
WORKDIR /app
COPY pyproject.toml README.md hatch_build.py /app/
COPY src /app/src
RUN pip install --no-cache-dir /app

# Run as non-root; /data is the persistent volume for blobs + sqlite.
RUN useradd --create-home --uid 10001 app \
 && mkdir -p /data && chown app:app /data
USER app

EXPOSE 3000
VOLUME ["/data"]

# Set WITHCACHE_ADMIN_PASSWORD at run time to protect the operator UI.
# A session-signing key is persisted under /data automatically, or override
# with WITHCACHE_SESSION_SECRET.

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s \
  CMD python -c "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:3000/healthz',timeout=2).status==200 else 1)"

ENTRYPOINT ["withcache-server", "--host", "0.0.0.0", "--port", "3000", "--data-dir", "/data"]
