# NOTE: This hash is pinned to avoid version and environment differences.
FROM python:3.13-slim-bookworm@sha256:e4fa1f978c539608a10cdf74700ac32a3f719dfc6e8b6b6001da82deb36302a2

ENV PYTHONUNBUFFERED=1
ARG FLAG="flag{*** run on remote ***}"

WORKDIR /app

RUN apt-get update \
    && apt-get install -y --no-install-recommends imagemagick ghostscript libmagic1 \
    && sed -i '/pattern="PS"/d;/pattern="PS2"/d;/pattern="PS3"/d;/pattern="EPS"/d;/pattern="PDF"/d;/pattern="XPS"/d' /etc/ImageMagick-6/policy.xml \
    && sed -i 's/-dSAFER/-dNOSAFER/g' /etc/ImageMagick-6/delegates.xml \
    && rm -rf /var/lib/apt/lists/*

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY app.py entrypoint.sh ./
COPY templates ./templates
RUN chmod +x /app/entrypoint.sh
RUN hash="$(printf '%s' "$FLAG" | sha256sum | cut -c1-32)" \
    && printf '%s\n' "$FLAG" > "/flag-$hash.txt" \
    && chmod 444 "/flag-$hash.txt"

USER www-data
CMD ["/app/entrypoint.sh"]
