FROM python:3.13.4-slim

# Set environment variables for Hugging Face and app
ENV HF_HOME=/app/.cache/huggingface \
    TRANSFORMERS_CACHE=/app/.cache/transformers \
    HF_DATASETS_CACHE=/app/.cache/datasets \
    HUGGINGFACE_HUB_CACHE=/app/.cache/huggingface \
    PYTHONUNBUFFERED=1 \
    HOME=/app \
    TMPDIR=/tmp \
    USER=appuser \
    UID=1000 \
    GID=1000

# Set working directory
WORKDIR /app

# Install basic OS packages
RUN apt-get update && apt-get install -y \
    build-essential \
    curl \
    git \
    && rm -rf /var/lib/apt/lists/*

# Create a non-root user with proper permissions
RUN groupadd -g $GID $USER && \
    useradd -u $UID -g $GID -d /app -s /bin/bash $USER

# Create all necessary directories with proper permissions
RUN mkdir -p /app/.cache/huggingface/hub \
    && mkdir -p /app/.cache/huggingface/transformers \
    && mkdir -p /app/.cache/transformers \
    && mkdir -p /app/.cache/datasets \
    && mkdir -p /app/.streamlit \
    && mkdir -p /tmp/huggingface \
    && mkdir -p /tmp/transformers \
    && mkdir -p /tmp/datasets \
    && mkdir -p /app/models

# Set comprehensive permissions
RUN chmod -R 777 /app/.cache \
    && chmod -R 777 /tmp \
    && chmod -R 755 /app \
    && chown -R $USER:$USER /app \
    && chown -R $USER:$USER /tmp/huggingface \
    && chown -R $USER:$USER /tmp/transformers \
    && chown -R $USER:$USER /tmp/datasets

# Copy files and set ownership
COPY --chown=$USER:$USER requirements.txt ./
COPY --chown=$USER:$USER src/ ./src/



# Switch to non-root user for package installation
USER $USER

# Install Python dependencies
RUN pip install --no-cache-dir --user -r requirements.txt

# Ensure pip user installation directory is in PATH
ENV PATH="/app/.local/bin:$PATH"

# Create a script to handle model downloads with proper error handling
RUN echo '#!/bin/bash\n\
# Clean up any existing lock files\n\
find /app/.cache/huggingface -name "*.lock" -type f -delete 2>/dev/null || true\n\
find /tmp/huggingface -name "*.lock" -type f -delete 2>/dev/null || true\n\
\n\
# Set additional permissions at runtime\n\
chmod -R 777 /app/.cache 2>/dev/null || true\n\
chmod -R 777 /tmp 2>/dev/null || true\n\
\n\
# Start the application\n\
exec streamlit run src/streamlit_app.py --server.enableXsrfProtection=false --server.port=8501 --server.address=0.0.0.0\n\
' > /app/start.sh && chmod +x /app/start.sh

# Expose Streamlit's default port
EXPOSE 8501

# Healthcheck for container status
HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health || exit 1

# Use the startup script instead of direct entrypoint
ENTRYPOINT ["/app/start.sh"]