# =========================
# 3) Production runtime
# =========================
FROM debian:bullseye-slim AS production

# Install only minimal runtime deps
RUN apt-get update && apt-get install -y \
    ca-certificates \
    tzdata \
    curl \
 && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN groupadd -r appuser && useradd -r -g appuser appuser

# Copy app binary from build
COPY --from=build /out/app /app

# Copy infra/config files (if your app reads config/templates from here)
COPY --from=migration /src/infra /infra

# Optionally copy migrations and migrate binary so you can run migrations
COPY --from=migration /go/bin/migrate /usr/local/bin/migrate
COPY --from=migration /src/migrations /migrations

# Permissions
RUN chown -R appuser:appuser /app /infra /migrations

# Env & timezone
ENV TZ=Asia/Jakarta

# Network
EXPOSE 3300

# Healthcheck
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
  CMD curl -fsS http://localhost:3300/health || exit 1

# Drop privileges
USER appuser

# Default entrypoint -> run the server
ENTRYPOINT ["/app"]