Dockerfile

# -------- Base Python with libs Blender needs (CPU headless) --------
FROM python:3.11-slim-bookworm

ENV DEBIAN_FRONTEND=noninteractive

# System deps for Blender GUI-less rendering
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates wget bzip2 xz-utils \
    libglib2.0-0 libx11-6 libxi6 libxxf86vm1 libxrender1 libxfixes3 \
    libxkbcommon0 libxrandr2 libasound2 libxinerama1 libsm6 libice6 \
    libgl1 libegl1 libglu1-mesa libdbus-1-3 libxcb1 \
    git curl \
 && rm -rf /var/lib/apt/lists/*

# Grab a local copy of model-viewer so we can inline it (no external script loads)
RUN mkdir -p /app/static && \
    wget -q -O /app/static/model-viewer.min.js \
      https://unpkg.com/@google/model-viewer/dist/model-viewer.min.js

# -------- Install official Blender (includes OpenImageDenoise) --------
ARG BLENDER_VERSION=4.1.1
ARG BLENDER_MAJOR=4.1
RUN wget -q https://download.blender.org/release/Blender${BLENDER_MAJOR}/blender-${BLENDER_VERSION}-linux-x64.tar.xz \
 && tar -xJf blender-${BLENDER_VERSION}-linux-x64.tar.xz -C /opt \
 && rm blender-${BLENDER_VERSION}-linux-x64.tar.xz \
 && ln -s /opt/blender-${BLENDER_VERSION}-linux-x64/blender /usr/local/bin/blender

# Pillow inside Blender's embedded Python (render.py imports PIL inside Blender)
RUN /opt/blender-${BLENDER_VERSION}-linux-x64/${BLENDER_MAJOR}/python/bin/python3.11 -m ensurepip && \
    /opt/blender-${BLENDER_VERSION}-linux-x64/${BLENDER_MAJOR}/python/bin/python3.11 -m pip install --no-cache-dir Pillow

# -------- Python deps (base) --------
WORKDIR /app
COPY requirements.txt /app/requirements.txt
RUN pip install --no-cache-dir -r requirements.txt

# -------- Fallback App code (used only if GIT_TOKEN/GIT_REPO not set) --------
COPY app.py render.py /app/

# -------- Runtime bootstrap to pull private repo safely --------
# Expects:
#   - Secret:   GIT_TOKEN
#   - Variable: GIT_REPO (e.g. owner/private-repo)
#   - Variable: GIT_REF  (optional, default "main")
#   - Variable: GIT_SUBDIR (optional, e.g. "apps/serviceA")
RUN set -eux; \
  cat > /usr/local/bin/start.sh << 'EOF'; \
#!/usr/bin/env bash
set -euo pipefail

export BLENDER_BIN="${BLENDER_BIN:-blender}"

TARGET_ROOT="/srv/app"
mkdir -p "$TARGET_ROOT"

REPO="${GIT_REPO:-}"
REF="${GIT_REF:-main}"
SUBDIR="${GIT_SUBDIR:-}"

use_bundled_fallback() {
  echo "[info] Using bundled /app fallback (no private repo configured)."
  rsync -a /app/ "${TARGET_ROOT}/"
  cd "${TARGET_ROOT}"
  exec python app.py
}

if [[ -z "${REPO}" ]] || [[ -z "${GIT_TOKEN:-}" ]]; then
  use_bundled_fallback
fi

echo "[info] Downloading ${REPO}@${REF} tarball from GitHub..."
ARCHIVE_URL="https://api.github.com/repos/${REPO}/tarball/${REF}"

# Download without leaking token into image layers (runtime only)
# Token is passed in header; -q to avoid verbose logs
if ! wget -q --header="Authorization: Bearer ${GIT_TOKEN}" -O /tmp/repo.tar.gz "${ARCHIVE_URL}"; then
  echo "[warn] Download failed; falling back to bundled app."
  use_bundled_fallback
fi

# Extract and normalize to TARGET_ROOT (strip top dir)
rm -rf "${TARGET_ROOT:?}/"*
tar -xzf /tmp/repo.tar.gz -C "${TARGET_ROOT}" --strip-components=1
rm -f /tmp/repo.tar.gz

if [[ -n "${SUBDIR}" ]]; then
  if [[ -d "${TARGET_ROOT}/${SUBDIR}" ]]; then
    TARGET_ROOT="${TARGET_ROOT}/${SUBDIR}"
  else
    echo "[warn] GIT_SUBDIR=${SUBDIR} not found in repo; continuing from repo root."
  fi
fi

# If the repo ships its own requirements, install them now
if [[ -f "${TARGET_ROOT}/requirements.txt" ]]; then
  echo "[info] Installing repo requirements..."
  pip install --no-cache-dir -r "${TARGET_ROOT}/requirements.txt"
fi

cd "${TARGET_ROOT}"

# Basic sanity check
if [[ ! -f "app.py" ]]; then
  echo "[warn] app.py not found in repo path; falling back to bundled app."
  use_bundled_fallback
fi

echo "[info] Starting app from private repo..."
exec python app.py
EOF
RUN chmod +x /usr/local/bin/start.sh

# Hugging Face Spaces env
ENV PORT=7860 \
    GRADIO_SERVER_NAME=0.0.0.0 \
    GRADIO_SERVER_PORT=7860 \
    BLENDER_BIN=blender

EXPOSE 7860
CMD ["/usr/local/bin/start.sh"]