FROM python:3.11-slim

# Create non-root user for security
RUN groupadd -r appuser && useradd -r -g appuser appuser

WORKDIR /app

# Copy application files
COPY app.py ./
COPY templates/ ./templates/

# Install dependencies as root
RUN pip install --no-cache-dir Flask Jinja2 gunicorn

# Create necessary directories and set permissions
RUN mkdir -p /tmp && chown -R appuser:appuser /app /tmp

# Switch to non-root user
USER appuser

# Expose port 8080 (internal)
EXPOSE 8080

# Bind to localhost only for security
CMD ["gunicorn", "-b", "127.0.0.1:8080", "--workers", "2", "--worker-class", "sync", "--worker-connections", "1000", "--max-requests", "1000", "--max-requests-jitter", "100", "--timeout", "30", "--keep-alive", "2", "app:app"]