FROM python:3.12-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
    git rsync ca-certificates curl \
    docker.io \
    && rm -rf /var/lib/apt/lists/*

RUN groupadd -g 100 nasusers 2>/dev/null || true \
    && groupadd -g 65540 dockerhost \
    && useradd -u 1026 -g 100 -G 65540 -m deployer

WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY app.py /app/app.py

USER deployer

ENV PYTHONUNBUFFERED=1
EXPOSE 9000
CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "9000"]
