# -------- Base Python with libs Blender needs (CPU headless) -------- FROM python:3.11-slim-bookworm ENV DEBIAN_FRONTEND=noninteractive # System deps for Blender GUI-less rendering RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates wget bzip2 xz-utils \ libglib2.0-0 libx11-6 libxi6 libxxf86vm1 libxrender1 libxfixes3 \ libxkbcommon0 libxrandr2 libasound2 libxinerama1 libsm6 libice6 \ libgl1 libegl1 libglu1-mesa libdbus-1-3 libxcb1 \ git curl \ && rm -rf /var/lib/apt/lists/* # Grab a local copy of model-viewer so we can inline it (no external script loads) RUN mkdir -p /app/static && \ wget -q -O /app/static/model-viewer.min.js \ https://unpkg.com/@google/model-viewer/dist/model-viewer.min.js # -------- Install official Blender (includes OpenImageDenoise) -------- ARG BLENDER_VERSION=4.1.1 ARG BLENDER_MAJOR=4.1 RUN wget -q https://download.blender.org/release/Blender${BLENDER_MAJOR}/blender-${BLENDER_VERSION}-linux-x64.tar.xz \ && tar -xJf blender-${BLENDER_VERSION}-linux-x64.tar.xz -C /opt \ && rm blender-${BLENDER_VERSION}-linux-x64.tar.xz \ && ln -s /opt/blender-${BLENDER_VERSION}-linux-x64/blender /usr/local/bin/blender # Pillow inside Blender's embedded Python (render.py imports PIL inside Blender) RUN /opt/blender-${BLENDER_VERSION}-linux-x64/${BLENDER_MAJOR}/python/bin/python3.11 -m ensurepip && \ /opt/blender-${BLENDER_VERSION}-linux-x64/${BLENDER_MAJOR}/python/bin/python3.11 -m pip install --no-cache-dir Pillow # -------- Python deps (base) -------- WORKDIR /app COPY requirements.txt /app/requirements.txt RUN pip install --no-cache-dir -r requirements.txt # -------- Fallback App code (used only if GIT_TOKEN/GIT_REPO not set) -------- COPY app.py render.py /app/ # -------- Runtime bootstrap to pull private repo safely -------- # Expects: # - Secret: GIT_TOKEN # - Variable: GIT_REPO (e.g. owner/private-repo) # - Variable: GIT_REF (optional, default "main") # - Variable: GIT_SUBDIR (optional, e.g. "apps/serviceA") RUN set -eux; \ cat > /usr/local/bin/start.sh << 'EOF'; \ #!/usr/bin/env bash set -euo pipefail export BLENDER_BIN="${BLENDER_BIN:-blender}" TARGET_ROOT="/srv/app" mkdir -p "$TARGET_ROOT" REPO="${GIT_REPO:-}" REF="${GIT_REF:-main}" SUBDIR="${GIT_SUBDIR:-}" use_bundled_fallback() { echo "[info] Using bundled /app fallback (no private repo configured)." rsync -a /app/ "${TARGET_ROOT}/" cd "${TARGET_ROOT}" exec python app.py } if [[ -z "${REPO}" ]] || [[ -z "${GIT_TOKEN:-}" ]]; then use_bundled_fallback fi echo "[info] Downloading ${REPO}@${REF} tarball from GitHub..." ARCHIVE_URL="https://api.github.com/repos/${REPO}/tarball/${REF}" # Download without leaking token into image layers (runtime only) # Token is passed in header; -q to avoid verbose logs if ! wget -q --header="Authorization: Bearer ${GIT_TOKEN}" -O /tmp/repo.tar.gz "${ARCHIVE_URL}"; then echo "[warn] Download failed; falling back to bundled app." use_bundled_fallback fi # Extract and normalize to TARGET_ROOT (strip top dir) rm -rf "${TARGET_ROOT:?}/"* tar -xzf /tmp/repo.tar.gz -C "${TARGET_ROOT}" --strip-components=1 rm -f /tmp/repo.tar.gz if [[ -n "${SUBDIR}" ]]; then if [[ -d "${TARGET_ROOT}/${SUBDIR}" ]]; then TARGET_ROOT="${TARGET_ROOT}/${SUBDIR}" else echo "[warn] GIT_SUBDIR=${SUBDIR} not found in repo; continuing from repo root." fi fi # If the repo ships its own requirements, install them now if [[ -f "${TARGET_ROOT}/requirements.txt" ]]; then echo "[info] Installing repo requirements..." pip install --no-cache-dir -r "${TARGET_ROOT}/requirements.txt" fi cd "${TARGET_ROOT}" # Basic sanity check if [[ ! -f "app.py" ]]; then echo "[warn] app.py not found in repo path; falling back to bundled app." use_bundled_fallback fi echo "[info] Starting app from private repo..." exec python app.py EOF RUN chmod +x /usr/local/bin/start.sh # Hugging Face Spaces env ENV PORT=7860 \ GRADIO_SERVER_NAME=0.0.0.0 \ GRADIO_SERVER_PORT=7860 \ BLENDER_BIN=blender EXPOSE 7860 CMD ["/usr/local/bin/start.sh"]