# Use the official Python 3.9 slim image as the base
FROM python:3.9-slim

# --- Permission Fix Section ---
# Create a non-root user and group with a specific UID/GID
# Using UID/GID 1000 is common, but ensure it aligns with your host if mounting volumes extensively.
RUN groupadd --gid 1000 appgroup && \
    useradd --uid 1000 --gid 1000 --create-home --shell /bin/bash appuser

# Set environment variables for the new user's home directory
# This makes paths more robust and follows conventions
ENV HOME=/home/appuser
ENV APP_HOME=/home/appuser/app
# Ensure the app's virtual environment (if any future deps need it) or local bins are in PATH
ENV PATH=${HOME}/.local/bin:$PATH

# Create the application directory within the user's home
RUN mkdir -p ${APP_HOME}

# Set the working directory to the new app directory
WORKDIR ${APP_HOME}

# --- Dependency Installation ---
# Copy and install Python requirements
COPY ./requirements.txt ${APP_HOME}/requirements.txt
RUN pip install --no-cache-dir -r ${APP_HOME}/requirements.txt

# --- Application Code Copy ---
# Copy application code, ensuring ownership by the appuser
# Use --chown to set ownership during the copy step itself
COPY --chown=appuser:appgroup . ${APP_HOME}

# --- Final Ownership and User Switch ---
# Explicitly change ownership of the entire app directory again.
# This catches any files created during build steps or ensures consistency.
RUN chown -R appuser:appgroup ${APP_HOME}

# Switch to the non-root user for running the application
# This is the crucial step to ensure the process has the right permissions
USER appuser

# --- Expose and Run ---
# Expose the port the app runs on
EXPOSE 7860

# Define the command to run the application using Gunicorn
# Ensure it binds to 0.0.0.0 to be accessible outside the container
CMD ["gunicorn", "--bind", "0.0.0.0:7860", "--timeout", "120", "app:app"]