FROM python:3.10-slim

# System deps — nginx added for reverse-proxying FastAPI + Streamlit
RUN apt-get update && apt-get install -y \
    nginx \
    poppler-utils \
    supervisor \
    libgl1 \
    libglib2.0-0 \
    libjpeg-dev \
    libpng-dev \
    libwebp-dev \
    tesseract-ocr \
    tesseract-ocr-eng \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN useradd -m -u 1000 appuser
WORKDIR /app

# Install Python deps
COPY requirements.txt .
RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir -r requirements.txt

# Copy app
COPY --chown=appuser:appuser . .

# nginx config — port 7860 routes /api/* → FastAPI:7861, else → Streamlit:8501
COPY nginx.conf /etc/nginx/nginx.conf
RUN mkdir -p /var/log/nginx /var/lib/nginx/body /run && \
    chown -R appuser:appuser /var/log/nginx /var/lib/nginx /run /etc/nginx

# Writable dirs
RUN mkdir -p /app/chroma_db /app/sample_docs /app/logs /tmp/chroma_db && \
    chown -R appuser:appuser /app/chroma_db /app/sample_docs /app/logs /tmp/chroma_db

# Supervisor config — runs nginx, Streamlit (8501), and FastAPI (7861)
RUN mkdir -p /app/supervisor && \
    printf '[supervisord]\n\
nodaemon=true\n\
logfile=/app/logs/supervisord.log\n\
pidfile=/app/logs/supervisord.pid\n\
\n\
[program:nginx]\n\
command=nginx -g "daemon off;"\n\
autostart=true\n\
autorestart=true\n\
stdout_logfile=/app/logs/nginx.log\n\
stderr_logfile=/app/logs/nginx_err.log\n\
\n\
[program:streamlit]\n\
command=streamlit run app.py --server.port=8501 --server.address=0.0.0.0 --server.headless=true --server.enableCORS=false --server.enableXsrfProtection=false --browser.gatherUsageStats=false\n\
directory=/app\n\
autostart=true\n\
autorestart=true\n\
stdout_logfile=/app/logs/streamlit.log\n\
stderr_logfile=/app/logs/streamlit_err.log\n\
\n\
[program:fastapi]\n\
command=uvicorn api:app --host=0.0.0.0 --port=7861\n\
directory=/app\n\
autostart=true\n\
autorestart=true\n\
stdout_logfile=/app/logs/fastapi.log\n\
stderr_logfile=/app/logs/fastapi_err.log\n\
' > /app/supervisor/supervisord.conf && \
    chown -R appuser:appuser /app/supervisor

USER appuser

EXPOSE 7860

CMD ["/usr/bin/supervisord", "-c", "/app/supervisor/supervisord.conf"]