FROM python:3.10-slim

# Install system dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    git \
    libgl1-mesa-glx \
    libglib2.0-0 \
    && rm -rf /var/lib/apt/lists/*

# Create a user with explicit UID 1000 (common for first non-root user)
RUN useradd -m -u 1000 appuser

# Set working directory
WORKDIR /app

# Create directories with proper permissions
RUN mkdir -p /app/.triton /app/.torch_cache /app/tmp && \
    chmod 777 /app/tmp && \
    chown -R appuser:appuser /app

# Set environment variables for cache directories and temporary files
ENV TRITON_CACHE_DIR=/app/.triton
ENV TORCH_HOME=/app/.torch_cache
ENV TORCHINDUCTOR_CACHE_DIR=/app/.torch_cache/inductor
ENV TEMP=/app/tmp
ENV TMP=/app/tmp
ENV TMPDIR=/app/tmp

# Copy requirements first to leverage Docker cache
COPY requirements.txt .

# Install Python dependencies
RUN pip install --no-cache-dir -r requirements.txt

# Copy the rest of the application
COPY . .

# Create .streamlit directory and config file
RUN mkdir -p /app/.streamlit
RUN echo '[server]\nheaderless = true\nenableCORS = false\nenableXsrfProtection = false' > /app/.streamlit/config.toml
RUN chown -R appuser:appuser /app/.streamlit

# Create a streamlit credentials file to avoid warnings
RUN mkdir -p /home/appuser/.streamlit
RUN echo '[general]\nemail = ""' > /home/appuser/.streamlit/credentials.toml
RUN chown -R appuser:appuser /home/appuser/.streamlit

# Ensure proper ownership of all files
RUN chown -R appuser:appuser /app

# Switch to the appuser
USER appuser

# Expose the port Streamlit runs on
EXPOSE 8501

# Command to run the application with explicit disable of CORS protection
CMD ["streamlit", "run", "app.py", "--server.address=0.0.0.0", "--server.enableCORS=false", "--server.enableXsrfProtection=false", "--server.maxUploadSize=50"]