FROM node:20-bookworm-slim

ENV NODE_ENV=production
WORKDIR /app

COPY package.json package-lock.json ./
RUN npm ci --omit=dev --no-audit --no-fund && npm cache clean --force

COPY server.js ./server.js
COPY src ./src
COPY public ./public

RUN groupadd --system --gid 10001 meme \
  && useradd --system --uid 10001 --gid meme --home-dir /app --shell /usr/sbin/nologin meme \
  && mkdir -p /data \
  && chown -R meme:meme /data /app

USER meme
EXPOSE 8080
VOLUME ["/data"]
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
  CMD node -e "fetch('http://127.0.0.1:8080/healthz').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"

ENV DATA_DIR=/data
CMD ["node", "server.js"]
