# ═══════════════════════════════════════════════════════════════
# 个人资料库 — Dockerfile
# 构建方式：docker build -t resource-library .
# ═══════════════════════════════════════════════════════════════

# ── 阶段 1：依赖构建（独立层，仅在 requirements.txt 变更时重建）──
FROM python:3.12-slim AS builder

WORKDIR /build

# 安装编译依赖（cryptography 等需要 gcc）
RUN apt-get update && apt-get install -y --no-install-recommends \
        gcc libffi-dev libssl-dev default-libmysqlclient-dev pkg-config \
    && rm -rf /var/lib/apt/lists/*

COPY requirements.txt .

# 编译到 wheel 缓存目录，下一阶段直接 pip install --no-index
RUN pip wheel --no-cache-dir --wheel-dir /build/wheels -r requirements.txt


# ── 阶段 2：运行镜像（精简，不含编译工具）──────────────────────
FROM python:3.12-slim AS runtime

# 运行时系统依赖（libmagic 用于文件类型识别）
RUN apt-get update && apt-get install -y --no-install-recommends \
        libmagic1 curl \
    && rm -rf /var/lib/apt/lists/*

# 创建非 root 运行用户
RUN groupadd -r appuser && useradd -r -g appuser appuser

WORKDIR /app

# 从 builder 安装预编译 wheels（离线，无需网络）
COPY --from=builder /build/wheels /tmp/wheels
COPY requirements.txt .
RUN pip install --no-cache-dir --no-index --find-links /tmp/wheels -r requirements.txt \
    && rm -rf /tmp/wheels

# 单独安装 gunicorn（WSGI 服务器）
RUN pip install --no-cache-dir gunicorn==23.0.0

# 复制应用代码
COPY . .

# 创建上传目录并设置权限
RUN mkdir -p app/static/uploads/{text,image,audio,video,temp} \
    && chown -R appuser:appuser /app

# 复制并授权启动脚本
COPY docker/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# 切换到非 root 用户
USER appuser

# 声明上传目录为卷
VOLUME ["/app/app/static/uploads"]

EXPOSE 5000

# 健康检查
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
    CMD curl -f http://localhost:5000/auth/login || exit 1

ENTRYPOINT ["/entrypoint.sh"]