# Use the official Python 3.9 image
FROM python:3.9

# 1. Set up system dependencies as ROOT (default)
RUN apt-get update && apt-get install -y \
    curl \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# 2. Install cloudflared as ROOT
RUN curl -fsSL https://pkg.cloudflare.com/cloudflare-public-v2.gpg \
    | tee /usr/share/keyrings/cloudflare-public-v2.gpg >/dev/null && \
    echo "deb [signed-by=/usr/share/keyrings/cloudflare-public-v2.gpg] https://pkg.cloudflare.com/cloudflared any main" \
    | tee /etc/apt/sources.list.d/cloudflared.list && \
    apt-get update && \
    apt-get install -y cloudflared && \
    rm -rf /var/lib/apt/lists/*

# 3. Now create the user and set up the environment
RUN useradd -m -u 1000 user
ENV HOME=/home/user \
    PATH=/home/user/.local/bin:$PATH

WORKDIR $HOME/app

# 4. Switch to the non-root user for app-specific tasks
USER user

# 5. Copy files and install Python requirements
COPY --chown=user . $HOME/app
RUN pip install --no-cache-dir --upgrade -r requirements.txt

# Expose port
EXPOSE 7860

# 6. Run the application
# Note: Using '&&' instead of '&' ensures the tunnel starts before the app, 
# or use a shell script if you need them to run truly in parallel.
CMD cloudflared tunnel run --token $CLOUDFLARED_TOKEN & python app.py