# ============================================================================
# THE IRON VAULT - Hardened Container Image
# ============================================================================
# This Dockerfile creates a security-hardened container for the FSAL service.
#
# Security features:
# - Non-root user execution
# - Read-only root filesystem (except /data)
# - No shell access
# - Minimal attack surface (distroless-like)
# - Health checks enabled
# - Gunicorn process manager with multiple workers
# ============================================================================

# Stage 1: Build
FROM python:3.12-slim-bookworm AS builder

WORKDIR /build

# Install build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    && rm -rf /var/lib/apt/lists/*

# Create virtualenv
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# Install Python dependencies
COPY pyproject.toml .
RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir . gunicorn

# Copy source
COPY src/ src/

# Install the package
RUN pip install --no-cache-dir .


# Stage 2: Runtime
FROM python:3.12-slim-bookworm AS runtime

# Security: Create non-root user
RUN groupadd --gid 1000 fsal && \
    useradd --uid 1000 --gid fsal --shell /usr/sbin/nologin --create-home fsal

# Create data directory for sandbox
RUN mkdir -p /data && chown fsal:fsal /data

# Copy virtualenv from builder
COPY --from=builder /opt/venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# Security: Set restrictive permissions
RUN chmod 755 /opt/venv/bin/*

# Environment configuration
ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    FSAL_HOST=0.0.0.0 \
    FSAL_PORT=4848 \
    FSAL_ROOT=/data \
    FSAL_REQUEST_TIMEOUT=30 \
    APERION_ENV=production \
    # Gunicorn settings
    GUNICORN_WORKERS=4 \
    GUNICORN_TIMEOUT=30 \
    GUNICORN_KEEPALIVE=5

# Switch to non-root user
USER fsal
WORKDIR /home/fsal

# Expose port
EXPOSE 4848

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:4848/healthz')" || exit 1

# Run with Gunicorn + UvicornWorker for production
# - Multiple workers for fault tolerance and performance
# - Graceful timeout handling
# - Automatic worker restart on failure
CMD ["sh", "-c", "gunicorn aperion_fsal.service.app:app \
    --worker-class uvicorn.workers.UvicornWorker \
    --workers ${GUNICORN_WORKERS} \
    --bind ${FSAL_HOST}:${FSAL_PORT} \
    --timeout ${GUNICORN_TIMEOUT} \
    --keep-alive ${GUNICORN_KEEPALIVE} \
    --access-logfile - \
    --error-logfile - \
    --capture-output"]

# ============================================================================
# Usage:
#   Build:  docker build -t aperion-fsal .
#   Run:    docker run -d -p 4848:4848 \
#             -e FSAL_TOKEN=your-secret-token \
#             -v /path/to/sandbox:/data \
#             aperion-fsal
#
# Security Notes:
# - ALWAYS set FSAL_TOKEN in production
# - Mount /data as read-write volume for sandbox
# - Consider running with --read-only --tmpfs /tmp
#
# Production Tuning:
# - Set GUNICORN_WORKERS based on CPU cores (2 * cores + 1)
# - Adjust GUNICORN_TIMEOUT for large file operations
# - Use --limit-request-line and --limit-request-field-size for request limits
# ============================================================================
