Dockerfile

# Use an official Python runtime as a parent image
# Using python:3.10-slim-bullseye for a Debian Bullseye based slim Python 3.10 environment
FROM python:3.10-slim-bullseye

# Set environment variables for Python, pip, and locale
ENV PYTHONUNBUFFERED 1
ENV PYTHONDONTWRITEBYTECODE 1
ENV PIP_NO_CACHE_DIR off
ENV PIP_DISABLE_PIP_VERSION_CHECK 1
ENV DEBIAN_FRONTEND=noninteractive
ENV LANG C.UTF-8
ENV LC_ALL C.UTF-8

# Install system dependencies (as root)
# build-essential for packages that might need to compile C code
# libffi-dev often needed by cryptography (common sub-dependency)
# curl is a generally useful utility
RUN apt-get update && apt-get install -y --no-install-recommends \
    ffmpeg \
    imagemagick \
    git \
    build-essential \
    libffi-dev \
    fonts-dejavu-core \
    fonts-liberation \
    libgl1-mesa-glx \
    libglib2.0-0 \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Modify ImageMagick policy.xml (as root)
# This is critical for TextClip and other ImageMagick-dependent features in MoviePy
RUN if [ -f /etc/ImageMagick-6/policy.xml ]; then \
        XML_FILE="/etc/ImageMagick-6/policy.xml"; \
        echo "INFO: Attempting to modify ImageMagick policy at $XML_FILE (v6)." ; \
    elif [ -f /etc/ImageMagick-7/policy.xml ]; then \
        XML_FILE="/etc/ImageMagick-7/policy.xml"; \
        echo "INFO: Attempting to modify ImageMagick policy at $XML_FILE (v7)." ; \
    else \
        XML_FILE=""; \
        echo "WARNING: ImageMagick policy.xml not found in /etc/ImageMagick-[67]/. MoviePy TextClip might fail." ; \
    fi && \
    if [ -n "$XML_FILE" ] && [ -f "$XML_FILE" ]; then \
        sed -i 's/<policy domain="path" rights="none" pattern="@\*"\/>/<!-- <policy domain="path" rights="none" pattern="@\*" \/> -->/' "$XML_FILE" && \
        sed -i 's/<policy domain="coder" rights="none" pattern="TEXT"\/>/<!-- <policy domain="coder" rights="none" pattern="TEXT" \/> -->/' "$XML_FILE" && \
        sed -i 's/<policy domain="coder" rights="none" pattern="LABEL"\/>/<!-- <policy domain="coder" rights="none" pattern="LABEL" \/> -->/' "$XML_FILE" && \
        sed -i 's/<policy domain="coder" rights="none" pattern="MVG"\/>/<!-- <policy domain="coder" rights="none" pattern="MVG" \/> -->/' "$XML_FILE" && \
        sed -i 's/<policy domain="coder" rights="none" pattern="MSL"\/>/<!-- <policy domain="coder" rights="none" pattern="MSL" \/> -->/' "$XML_FILE" && \
        sed -i 's/<policy domain="coder" rights="none" pattern="HTTPS"\/>/<!-- <policy domain="coder" rights="none" pattern="HTTPS" \/> -->/' "$XML_FILE" && \
        sed -i 's/<policy domain="coder" rights="none" pattern="HTTP"\/>/<!-- <policy domain="coder" rights="none" pattern="HTTP" \/> -->/' "$XML_FILE" && \
        echo "INFO: ImageMagick policy modifications applied to $XML_FILE." ; \
    else \
        echo "INFO: No ImageMagick policy file found to modify, or XML_FILE variable was empty." ; \
    fi

# Create a non-root user and group.
# Create home directory, .cache for pip, and .streamlit for Streamlit config.
RUN groupadd -r appgroup --gid 1000 && \
    useradd --no-log-init -r -g appgroup -u 1000 --create-home --shell /bin/bash appuser && \
    mkdir -p /home/appuser/.cache/pip && \
    mkdir -p /home/appuser/.streamlit && \
    chown -R appuser:appgroup /home/appuser

# Set Streamlit home directory to the one created for appuser
ENV STREAMLIT_HOME=/home/appuser/.streamlit
# Disable Streamlit telemetry using environment variable (alternative to CLI flag)
ENV BROWSER_GATHERUSAGEDATA=false

# Set the working directory for the application
WORKDIR /app

# Copy requirements.txt first to leverage Docker layer caching.
# Ensure appuser owns this file in its destination.
COPY --chown=appuser:appgroup requirements.txt .

# Switch to the non-root user to install Python packages
USER appuser
RUN pip install --no-cache-dir --upgrade pip && \
    echo "Attempting to install packages from requirements.txt as appuser..." && \
    pip install --user --no-cache-dir -r requirements.txt
    # If you still need streamlit-sortable from GitHub and it's NOT in requirements.txt:
    # echo "Attempting to install streamlit-sortable from GitHub as appuser..." && \
    # pip install --user --no-cache-dir git+https://github.com/okld/streamlit-sortable.git

# Add the user's local bin directory (where pip --user installs scripts) to PATH
# This ensures executables like 'streamlit' are found.
ENV PATH="/home/appuser/.local/bin:${PATH}"

# Switch back to root only for operations that require root privileges, like copying to system dirs
# For copying application code to /app, appuser should have write permission if WORKDIR is /app and /app is owned by appuser.
# However, using root for COPY and then chown is a common robust pattern.
USER root
COPY . .
# Ensure the entire /app directory and its contents are owned by appuser
RUN chown -R appuser:appgroup /app

# Create runtime directories as appuser (now that /app is owned by appuser)
USER appuser
RUN mkdir -p /app/temp_cinegen_media
RUN mkdir -p /app/assets/fonts # Ensure this exists, even if copied

# Optional: Copy custom fonts to a system-wide location if MoviePy/ImageMagick needs them there.
# This might require switching back to USER root temporarily for the cp and fc-cache.
# For now, relying on Pillow finding fonts in assets/ or system paths.
# USER root
# RUN if [ -d "/app/assets/fonts" ] && [ "$(ls -A /app/assets/fonts)" ]; then \
#         mkdir -p /usr/local/share/fonts/truetype/cinegen_custom && \
#         cp /app/assets/fonts/*.*tf /usr/local/share/fonts/truetype/cinegen_custom/ 2>/dev/null || true && \
#         fc-cache -fv && \
#         echo "INFO: Copied custom fonts to system and refreshed font cache."; \
#     else \
#         echo "INFO: No custom fonts found in /app/assets/fonts to copy system-wide." ; \
#     fi
# USER appuser # Switch back to appuser for runtime

# Expose the port Streamlit runs on
EXPOSE 8501

# Define the command to run the application as appuser
# The --browser.gatherUsageStats=false flag should work for Streamlit 1.13+
CMD ["streamlit", "run", "app.py", "--server.port=8501", "--server.address=0.0.0.0", "--browser.gatherUsageStats=false"]