Dockerfile

FROM python:3.12-slim
# Install system dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    && rm -rf /var/lib/apt/lists/*

# Set up a non-root user for security
RUN useradd -m -u 1000 user

WORKDIR /home/user/app

# Copy requirements first for better caching
COPY ./requirements.txt .
RUN pip install -r requirements.txt

# Copy the application with correct ownership
COPY --chown=user:user . .

# Create .chainlit directory with proper permissions
RUN mkdir -p .chainlit/translations && \
    chown -R user:user .chainlit && \
    mkdir -p .files && \
    chown -R user:user .files

# Switch to the non-root user after setting up permissions
USER user

ENV HOME=/home/user \
    PATH=/home/user/.local/bin:$PATH

# Properly handle the OpenAI API key
# This expects the secret to be passed at build time with --secret flag
RUN --mount=type=secret,id=OPENAI_API_KEY,mode=0444,required=true \
    if [ -f /run/secrets/OPENAI_API_KEY ]; then \
      export OPENAI_API_KEY=$(cat /run/secrets/OPENAI_API_KEY); \
    fi

EXPOSE 7860
CMD ["chainlit", "run", "app.py", "--host", "0.0.0.0", "--port", "7860", "--headless"]