# Use a slim, official Python image as the base
FROM python:3.13-slim AS base
# Set environment variables for Python and Poetry
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    POETRY_VIRTUALENVS_CREATE=false \
    POETRY_NO_INTERACTION=1
# Install system dependencies
RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        build-essential \
        curl \
        libpq-dev \
        lsb-release \
        gnupg \
        ffmpeg \
    && curl -fsSL https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
    && echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list \
    && apt-get update \
    && apt-get install -y vault \
    && rm -rf /var/lib/apt/lists/*
# Install Poetry into a globally accessible location
ENV POETRY_HOME=/opt/poetry
RUN curl -sSL https://install.python-poetry.org | python3 -
# Add Poetry to the system's PATH for all users
ENV PATH="$POETRY_HOME/bin:$PATH"
# Set the working directory for the application
WORKDIR /app
# Create a non-root user and group for security
RUN addgroup --system app && adduser --system --group app
# Copy only dependency files first to leverage Docker's layer cache
COPY pyproject.toml poetry.lock* /app/
# Copy the vault agent config and templates
COPY /vault/vault-agent-config.hcl /etc/vault/agent-config.hcl
COPY /vault/db-admin-template.hcl /etc/vault/admin-template.hcl
COPY /vault/db-app-template.hcl /etc/vault/app-template.hcl
COPY entrypoint.sh /app/entrypoint.sh
# Install Python dependencies
RUN poetry install --no-ansi --no-root
# Copy the rest of the application source code
COPY . /app
# Set correct ownership and permissions for the application files WHILE STILL ROOT
RUN chown -R app:app /app/
RUN chmod +x /app/entrypoint.sh
RUN chmod +x /app/setup.sh
# Make sure the secrets dir is writable by the 'app' user
RUN mkdir -p /vault/secrets && chown -R app:app /vault/secrets
# --- Switch to the non-root user ---
USER app
# Run collectstatic to gather all static files
RUN poetry run python manage.py collectstatic --no-input
# Expose the application port
EXPOSE 8000
# Set the entrypoint script to run on container start
ENTRYPOINT ["/app/entrypoint.sh"]
# The CMD is passed from docker-compose.yml to the entrypoint